Analysis
-
max time kernel
123s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:38
Static task
static1
Behavioral task
behavioral1
Sample
14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe
Resource
win10v2004-en-20220112
General
-
Target
14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe
-
Size
58KB
-
MD5
e9a043d8372be2fd3af8d51ca125d35a
-
SHA1
649b4f107294915a34e9d43bd37aa9ca94ba936e
-
SHA256
14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da
-
SHA512
c3037aee399c178ca528f9463380b14bfce3c834fd9c2afde32ab19c9716717c2792a7166b3f9953aaefbdca3aff79326b8819fe7834077b859dcf262bc93153
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1668 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 428 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exepid process 308 14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe 308 14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exedescription pid process Token: SeIncBasePriorityPrivilege 308 14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.execmd.exedescription pid process target process PID 308 wrote to memory of 1668 308 14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe MediaCenter.exe PID 308 wrote to memory of 1668 308 14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe MediaCenter.exe PID 308 wrote to memory of 1668 308 14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe MediaCenter.exe PID 308 wrote to memory of 1668 308 14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe MediaCenter.exe PID 308 wrote to memory of 428 308 14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe cmd.exe PID 308 wrote to memory of 428 308 14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe cmd.exe PID 308 wrote to memory of 428 308 14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe cmd.exe PID 308 wrote to memory of 428 308 14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe cmd.exe PID 428 wrote to memory of 1960 428 cmd.exe PING.EXE PID 428 wrote to memory of 1960 428 cmd.exe PING.EXE PID 428 wrote to memory of 1960 428 cmd.exe PING.EXE PID 428 wrote to memory of 1960 428 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe"C:\Users\Admin\AppData\Local\Temp\14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14f64c05b071f9328b5f0d84e076d135ab57a457de6cb756c8cbecc4b78758da.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c844a4a78ab665cb747907eefd1a08ed
SHA10181eee7f05397e397dca1ed25b64bceb3e58489
SHA25663892add7d66a29e6ebf3f35e42ce5ef79c3b959baba8a5c492554177b86f3ea
SHA5125e6c47a2278b8851984681c4fcd083e3dd03f863db866dcc5c4b7d43915d9f5e47c9a020ba607bb4c1a4f8aaae872e119e492fdfe40dba9b59869dc69a5e9744
-
MD5
c844a4a78ab665cb747907eefd1a08ed
SHA10181eee7f05397e397dca1ed25b64bceb3e58489
SHA25663892add7d66a29e6ebf3f35e42ce5ef79c3b959baba8a5c492554177b86f3ea
SHA5125e6c47a2278b8851984681c4fcd083e3dd03f863db866dcc5c4b7d43915d9f5e47c9a020ba607bb4c1a4f8aaae872e119e492fdfe40dba9b59869dc69a5e9744
-
MD5
c844a4a78ab665cb747907eefd1a08ed
SHA10181eee7f05397e397dca1ed25b64bceb3e58489
SHA25663892add7d66a29e6ebf3f35e42ce5ef79c3b959baba8a5c492554177b86f3ea
SHA5125e6c47a2278b8851984681c4fcd083e3dd03f863db866dcc5c4b7d43915d9f5e47c9a020ba607bb4c1a4f8aaae872e119e492fdfe40dba9b59869dc69a5e9744