Analysis
-
max time kernel
139s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:35
Static task
static1
Behavioral task
behavioral1
Sample
151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe
Resource
win10v2004-en-20220112
General
-
Target
151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe
-
Size
35KB
-
MD5
29bf8ce849aba6c2f3d7a7d7e6b4be49
-
SHA1
030fbf49e6fc42313cff586c8fa73780f66b23da
-
SHA256
151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe
-
SHA512
608ad9b78aa7f031bd894d9e727f8e3ffc6427d3ac7ce5bda70fa656cb198b82952bffab8a2122b542605b4c535a66ae3f8606205b9cf1d3ff37f758da38d5a6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1492 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1444 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exepid process 1412 151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe 1412 151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exedescription pid process Token: SeIncBasePriorityPrivilege 1412 151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.execmd.exedescription pid process target process PID 1412 wrote to memory of 1492 1412 151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe MediaCenter.exe PID 1412 wrote to memory of 1492 1412 151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe MediaCenter.exe PID 1412 wrote to memory of 1492 1412 151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe MediaCenter.exe PID 1412 wrote to memory of 1492 1412 151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe MediaCenter.exe PID 1412 wrote to memory of 1444 1412 151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe cmd.exe PID 1412 wrote to memory of 1444 1412 151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe cmd.exe PID 1412 wrote to memory of 1444 1412 151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe cmd.exe PID 1412 wrote to memory of 1444 1412 151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe cmd.exe PID 1444 wrote to memory of 1096 1444 cmd.exe PING.EXE PID 1444 wrote to memory of 1096 1444 cmd.exe PING.EXE PID 1444 wrote to memory of 1096 1444 cmd.exe PING.EXE PID 1444 wrote to memory of 1096 1444 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe"C:\Users\Admin\AppData\Local\Temp\151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\151b665e56457510f53f992f62b2c27acb48d45968ebd64dad051d6d0490d5fe.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b1845ec5efcd040e30010f1a3db89f8e
SHA142b5d22748d0164aea987da8b4109dc6db5f70ee
SHA25676eacd9fb1bb86b19a1879aeb47834e79fe558d465d0cbb88649cd8433910b7b
SHA512550d43801e6090f31d4d17b92d1863c428b12abb0f4d9e2d2452813ea4aec98af70608432c0dda100d997685d58ae8070eb8606678b6dc4d6ed3cf39f40fe7d0
-
MD5
b1845ec5efcd040e30010f1a3db89f8e
SHA142b5d22748d0164aea987da8b4109dc6db5f70ee
SHA25676eacd9fb1bb86b19a1879aeb47834e79fe558d465d0cbb88649cd8433910b7b
SHA512550d43801e6090f31d4d17b92d1863c428b12abb0f4d9e2d2452813ea4aec98af70608432c0dda100d997685d58ae8070eb8606678b6dc4d6ed3cf39f40fe7d0
-
MD5
b1845ec5efcd040e30010f1a3db89f8e
SHA142b5d22748d0164aea987da8b4109dc6db5f70ee
SHA25676eacd9fb1bb86b19a1879aeb47834e79fe558d465d0cbb88649cd8433910b7b
SHA512550d43801e6090f31d4d17b92d1863c428b12abb0f4d9e2d2452813ea4aec98af70608432c0dda100d997685d58ae8070eb8606678b6dc4d6ed3cf39f40fe7d0