Analysis
-
max time kernel
118s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:38
Static task
static1
Behavioral task
behavioral1
Sample
14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe
Resource
win10v2004-en-20220113
General
-
Target
14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe
-
Size
36KB
-
MD5
ddd44111bbf723b3ff37e08ee904c038
-
SHA1
56d395c3ec88c2a77e1b935aa876c4d7ff9e9528
-
SHA256
14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf
-
SHA512
e6d8b2e6d5d9f7491c48e3e1d81fdb7ea17b207af4c2990b64c33b6aa1d0a0dc2eb2588403fb77ff65805f8b06d02f3b3cc34a6f215698669b92ff1b2ef0b48d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1824 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exepid process 864 14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe 864 14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exedescription pid process Token: SeIncBasePriorityPrivilege 864 14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.execmd.exedescription pid process target process PID 864 wrote to memory of 1824 864 14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe MediaCenter.exe PID 864 wrote to memory of 1824 864 14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe MediaCenter.exe PID 864 wrote to memory of 1824 864 14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe MediaCenter.exe PID 864 wrote to memory of 1824 864 14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe MediaCenter.exe PID 864 wrote to memory of 1988 864 14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe cmd.exe PID 864 wrote to memory of 1988 864 14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe cmd.exe PID 864 wrote to memory of 1988 864 14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe cmd.exe PID 864 wrote to memory of 1988 864 14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe cmd.exe PID 1988 wrote to memory of 2044 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 2044 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 2044 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 2044 1988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe"C:\Users\Admin\AppData\Local\Temp\14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14f0db37a9c12172040478c237e9e8afc0dc85af3cbf179ccac3a91cec5e4fbf.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dde5e5a593a69c72e2fb2d3f59b31ee0
SHA16e762c06096c74cc8d86e840a64fb85897c6752c
SHA2560b60f2fc1fd4559d08d49dd2759fb55fcc81b37a64e345cde623b7b795a5eeb0
SHA5122a90b46b08495f91fb833cf8720ee021442efb048a7736a42485da27381561a89f7222aae38b56a3e9bbf5bf9c0049bb2c6def07ffd0bd3aa13c4aa1f0e2884e
-
MD5
dde5e5a593a69c72e2fb2d3f59b31ee0
SHA16e762c06096c74cc8d86e840a64fb85897c6752c
SHA2560b60f2fc1fd4559d08d49dd2759fb55fcc81b37a64e345cde623b7b795a5eeb0
SHA5122a90b46b08495f91fb833cf8720ee021442efb048a7736a42485da27381561a89f7222aae38b56a3e9bbf5bf9c0049bb2c6def07ffd0bd3aa13c4aa1f0e2884e
-
MD5
dde5e5a593a69c72e2fb2d3f59b31ee0
SHA16e762c06096c74cc8d86e840a64fb85897c6752c
SHA2560b60f2fc1fd4559d08d49dd2759fb55fcc81b37a64e345cde623b7b795a5eeb0
SHA5122a90b46b08495f91fb833cf8720ee021442efb048a7736a42485da27381561a89f7222aae38b56a3e9bbf5bf9c0049bb2c6def07ffd0bd3aa13c4aa1f0e2884e