Analysis
-
max time kernel
132s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:39
Static task
static1
Behavioral task
behavioral1
Sample
14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe
Resource
win10v2004-en-20220112
General
-
Target
14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe
-
Size
58KB
-
MD5
2cd1887f35425986b88c6ba6390f44aa
-
SHA1
009071587453697414d27161a0dbf4c83ccb585e
-
SHA256
14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08
-
SHA512
ffd268bd7cc2e52a275973e411e6434cdf7320c0da41d229eddd2a47488fead8743a6e9d89e7d92d8a3e4eb25fd915c692f26ab49b76c2744047305326b419b7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1752 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1656 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exepid process 952 14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe 952 14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exedescription pid process Token: SeIncBasePriorityPrivilege 952 14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.execmd.exedescription pid process target process PID 952 wrote to memory of 1752 952 14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe MediaCenter.exe PID 952 wrote to memory of 1656 952 14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe cmd.exe PID 952 wrote to memory of 1656 952 14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe cmd.exe PID 952 wrote to memory of 1656 952 14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe cmd.exe PID 952 wrote to memory of 1656 952 14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe cmd.exe PID 1656 wrote to memory of 1044 1656 cmd.exe PING.EXE PID 1656 wrote to memory of 1044 1656 cmd.exe PING.EXE PID 1656 wrote to memory of 1044 1656 cmd.exe PING.EXE PID 1656 wrote to memory of 1044 1656 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe"C:\Users\Admin\AppData\Local\Temp\14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14e3962f6852ea6b41d365bf369e03f0ef3db7306ae1e0c5243a3152a45f7e08.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
52feeb71b08936a5514f8a55bf60facf
SHA1a3fd73e919c78dea969ee792f9542f442eae4c0c
SHA25623baa20a534b018c9620f3592c5bd44eafd9d779b287b6ca9d24208accd57454
SHA512a34c8b4e1f9c2f86fe1b7667a44e7081d5f9dc1a9b9dc5fdbfa8c381b82ce526cd6d020e01a496327e8cad9c58f99894f210427f3aa55493b81d12b5e7ad809d
-
MD5
52feeb71b08936a5514f8a55bf60facf
SHA1a3fd73e919c78dea969ee792f9542f442eae4c0c
SHA25623baa20a534b018c9620f3592c5bd44eafd9d779b287b6ca9d24208accd57454
SHA512a34c8b4e1f9c2f86fe1b7667a44e7081d5f9dc1a9b9dc5fdbfa8c381b82ce526cd6d020e01a496327e8cad9c58f99894f210427f3aa55493b81d12b5e7ad809d
-
MD5
52feeb71b08936a5514f8a55bf60facf
SHA1a3fd73e919c78dea969ee792f9542f442eae4c0c
SHA25623baa20a534b018c9620f3592c5bd44eafd9d779b287b6ca9d24208accd57454
SHA512a34c8b4e1f9c2f86fe1b7667a44e7081d5f9dc1a9b9dc5fdbfa8c381b82ce526cd6d020e01a496327e8cad9c58f99894f210427f3aa55493b81d12b5e7ad809d