Analysis
-
max time kernel
143s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:07
Static task
static1
Behavioral task
behavioral1
Sample
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe
Resource
win10v2004-en-20220112
General
-
Target
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe
-
Size
60KB
-
MD5
c24eeeb38d5c279b011cf4e475be7c63
-
SHA1
3ceedd2ce52df26ef7ce069e46d257e61f45b0c8
-
SHA256
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118
-
SHA512
80a46172f5ab3ab3b9c44023ec003f56e169e2d7a8a05261f522e80a8008e6e6395cde9789725df9b05efdb724d83c48b4ddb02ff61aa08ad32b9eab2a101b95
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1368 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1072 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exepid process 840 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe 840 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exedescription pid process Token: SeIncBasePriorityPrivilege 840 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.execmd.exedescription pid process target process PID 840 wrote to memory of 1368 840 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe MediaCenter.exe PID 840 wrote to memory of 1368 840 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe MediaCenter.exe PID 840 wrote to memory of 1368 840 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe MediaCenter.exe PID 840 wrote to memory of 1368 840 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe MediaCenter.exe PID 840 wrote to memory of 1072 840 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe cmd.exe PID 840 wrote to memory of 1072 840 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe cmd.exe PID 840 wrote to memory of 1072 840 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe cmd.exe PID 840 wrote to memory of 1072 840 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe cmd.exe PID 1072 wrote to memory of 556 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 556 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 556 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 556 1072 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe"C:\Users\Admin\AppData\Local\Temp\15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
96064e7839ff005e112ea4b9854acf8e
SHA18ce43ea48f725bf8237477dc686589d435da0f3f
SHA256d6321f1ec41574835e3f9ffda27a33d37ad978b17ba0998ebf770fd35ed3722e
SHA5121fe2c0475a6e1c817e4d960a05f11b23da7df63a38a3592b9d93f89723abda98d4f3a2cc8f4c30989d40699727326d208e38852a9a978d9e4afefddae041db16
-
MD5
96064e7839ff005e112ea4b9854acf8e
SHA18ce43ea48f725bf8237477dc686589d435da0f3f
SHA256d6321f1ec41574835e3f9ffda27a33d37ad978b17ba0998ebf770fd35ed3722e
SHA5121fe2c0475a6e1c817e4d960a05f11b23da7df63a38a3592b9d93f89723abda98d4f3a2cc8f4c30989d40699727326d208e38852a9a978d9e4afefddae041db16
-
MD5
96064e7839ff005e112ea4b9854acf8e
SHA18ce43ea48f725bf8237477dc686589d435da0f3f
SHA256d6321f1ec41574835e3f9ffda27a33d37ad978b17ba0998ebf770fd35ed3722e
SHA5121fe2c0475a6e1c817e4d960a05f11b23da7df63a38a3592b9d93f89723abda98d4f3a2cc8f4c30989d40699727326d208e38852a9a978d9e4afefddae041db16