Analysis
-
max time kernel
120s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:05
Static task
static1
Behavioral task
behavioral1
Sample
1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe
Resource
win10v2004-en-20220112
General
-
Target
1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe
-
Size
60KB
-
MD5
e52197ffdae4d4a57bf003243754c33d
-
SHA1
2667e2fff36e062a4c25b3d9b21415166e203e35
-
SHA256
1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121
-
SHA512
eb973d82db29226240300e3431e93f5c9d9d0f491e29fb40fe80b9cc16da10b9c889645dfd7fc501211ffe7f2710b4e7b549a38bb48012869c4e7c4cbd9deefd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1176 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exepid process 956 1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe 956 1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exedescription pid process Token: SeIncBasePriorityPrivilege 956 1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.execmd.exedescription pid process target process PID 956 wrote to memory of 516 956 1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe MediaCenter.exe PID 956 wrote to memory of 516 956 1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe MediaCenter.exe PID 956 wrote to memory of 516 956 1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe MediaCenter.exe PID 956 wrote to memory of 516 956 1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe MediaCenter.exe PID 956 wrote to memory of 1176 956 1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe cmd.exe PID 956 wrote to memory of 1176 956 1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe cmd.exe PID 956 wrote to memory of 1176 956 1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe cmd.exe PID 956 wrote to memory of 1176 956 1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe cmd.exe PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe"C:\Users\Admin\AppData\Local\Temp\1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1615ea84310cb6f8788933ed518760e96c65dfe67d7d8ee19bac5a1070f82121.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1196
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a88f943089f5785af308ebaceb6ec930
SHA1d5bf5a28921eb9b84e3aa2e6c8d3e982aad6b11d
SHA256fc7a5ea0e7963fce8f8009df90d7037ebb22a22671eba62e25499411b9d6d685
SHA5120cc1218668f6dc22a9ddab1dfbcb068c96e19b51492af2f7eced6fb139373adb80514a673ea66a567912d309d25b4a9576486dd6dec3b15101cb337d0bd6f032
-
MD5
a88f943089f5785af308ebaceb6ec930
SHA1d5bf5a28921eb9b84e3aa2e6c8d3e982aad6b11d
SHA256fc7a5ea0e7963fce8f8009df90d7037ebb22a22671eba62e25499411b9d6d685
SHA5120cc1218668f6dc22a9ddab1dfbcb068c96e19b51492af2f7eced6fb139373adb80514a673ea66a567912d309d25b4a9576486dd6dec3b15101cb337d0bd6f032
-
MD5
a88f943089f5785af308ebaceb6ec930
SHA1d5bf5a28921eb9b84e3aa2e6c8d3e982aad6b11d
SHA256fc7a5ea0e7963fce8f8009df90d7037ebb22a22671eba62e25499411b9d6d685
SHA5120cc1218668f6dc22a9ddab1dfbcb068c96e19b51492af2f7eced6fb139373adb80514a673ea66a567912d309d25b4a9576486dd6dec3b15101cb337d0bd6f032