Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:33
Static task
static1
Behavioral task
behavioral1
Sample
15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe
Resource
win10v2004-en-20220112
General
-
Target
15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe
-
Size
36KB
-
MD5
dc5f795be17f53bfa6fa2a34dcf4dc2a
-
SHA1
6648f9e64e9c67106e550bef4b739d18592b9d3e
-
SHA256
15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb
-
SHA512
7a40b93091da07689aa613c1b0caf1d9bf038499d355cddf42b7dab16ea1fa32481a2dba020cf9d00540e079a2a2f70dbf453f3255508a104de2cf1644ab6dfa
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1648 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1532 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exepid process 984 15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe 984 15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exedescription pid process Token: SeIncBasePriorityPrivilege 984 15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.execmd.exedescription pid process target process PID 984 wrote to memory of 1648 984 15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe MediaCenter.exe PID 984 wrote to memory of 1648 984 15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe MediaCenter.exe PID 984 wrote to memory of 1648 984 15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe MediaCenter.exe PID 984 wrote to memory of 1648 984 15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe MediaCenter.exe PID 984 wrote to memory of 1532 984 15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe cmd.exe PID 984 wrote to memory of 1532 984 15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe cmd.exe PID 984 wrote to memory of 1532 984 15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe cmd.exe PID 984 wrote to memory of 1532 984 15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe cmd.exe PID 1532 wrote to memory of 780 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 780 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 780 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 780 1532 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe"C:\Users\Admin\AppData\Local\Temp\15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15307b0f0bfedccb29eb5ca8f55671fe5667142d8f655706e149ecd8645a96cb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6d6c4ec9ac7ae8534fb83a11102bc2e8
SHA109df42d84446a35f2e45f60ba47f6707f4409c82
SHA2561793bc3ad4f4a330a901ce8a1af27a8bd5d2ab3142a489cd6142dc32fac0a000
SHA51204b16cb110b8f15691446341ba8300951dff24412a4e128845eb90b848e6b4add05ec2d498518b8889cef409a763465e464c7a54caefdbf335588cf6b845c9d8
-
MD5
6d6c4ec9ac7ae8534fb83a11102bc2e8
SHA109df42d84446a35f2e45f60ba47f6707f4409c82
SHA2561793bc3ad4f4a330a901ce8a1af27a8bd5d2ab3142a489cd6142dc32fac0a000
SHA51204b16cb110b8f15691446341ba8300951dff24412a4e128845eb90b848e6b4add05ec2d498518b8889cef409a763465e464c7a54caefdbf335588cf6b845c9d8
-
MD5
6d6c4ec9ac7ae8534fb83a11102bc2e8
SHA109df42d84446a35f2e45f60ba47f6707f4409c82
SHA2561793bc3ad4f4a330a901ce8a1af27a8bd5d2ab3142a489cd6142dc32fac0a000
SHA51204b16cb110b8f15691446341ba8300951dff24412a4e128845eb90b848e6b4add05ec2d498518b8889cef409a763465e464c7a54caefdbf335588cf6b845c9d8