Analysis
-
max time kernel
131s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:36
Static task
static1
Behavioral task
behavioral1
Sample
150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe
Resource
win10v2004-en-20220112
General
-
Target
150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe
-
Size
60KB
-
MD5
e51b8309ed3ed32cddd447b9a089b1d8
-
SHA1
93c54546ce8289f0f6c0b8dd6cecb5e96c1ef3a4
-
SHA256
150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a
-
SHA512
7ef72361ecde2d1106b0c5224965671453e7244d9892ba9ec77591c28141b25e6e01af836f674e6d4abfc8eea42d1b9128c8af02dbebe0127b0566bea100c0e5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1600 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 624 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exepid process 1204 150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe 1204 150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exedescription pid process Token: SeIncBasePriorityPrivilege 1204 150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.execmd.exedescription pid process target process PID 1204 wrote to memory of 1600 1204 150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe MediaCenter.exe PID 1204 wrote to memory of 624 1204 150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe cmd.exe PID 1204 wrote to memory of 624 1204 150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe cmd.exe PID 1204 wrote to memory of 624 1204 150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe cmd.exe PID 1204 wrote to memory of 624 1204 150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe cmd.exe PID 624 wrote to memory of 972 624 cmd.exe PING.EXE PID 624 wrote to memory of 972 624 cmd.exe PING.EXE PID 624 wrote to memory of 972 624 cmd.exe PING.EXE PID 624 wrote to memory of 972 624 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe"C:\Users\Admin\AppData\Local\Temp\150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\150ef8df506a79bd9260985e338ea11cfe8a600fbb0fa3314bd57d8c12901b5a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0e7c41436bb73ffeb3a59cf855761176
SHA14be372af422a1c81aaed35642c4b1fcf524e480b
SHA25627b3aeb58cbc62b4e35750902391522a187c8cbb3fe6326f4d4ae0584581dcb5
SHA512f2802fe4644c47e3bc8a656155b9fc198f8f5cc5ba282792e8cf2b53a152b1cc82d61631892e533560619fd7bda85a0e889417de37da4d59c8b32c1c08c59d2f
-
MD5
0e7c41436bb73ffeb3a59cf855761176
SHA14be372af422a1c81aaed35642c4b1fcf524e480b
SHA25627b3aeb58cbc62b4e35750902391522a187c8cbb3fe6326f4d4ae0584581dcb5
SHA512f2802fe4644c47e3bc8a656155b9fc198f8f5cc5ba282792e8cf2b53a152b1cc82d61631892e533560619fd7bda85a0e889417de37da4d59c8b32c1c08c59d2f
-
MD5
0e7c41436bb73ffeb3a59cf855761176
SHA14be372af422a1c81aaed35642c4b1fcf524e480b
SHA25627b3aeb58cbc62b4e35750902391522a187c8cbb3fe6326f4d4ae0584581dcb5
SHA512f2802fe4644c47e3bc8a656155b9fc198f8f5cc5ba282792e8cf2b53a152b1cc82d61631892e533560619fd7bda85a0e889417de37da4d59c8b32c1c08c59d2f