Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:07
Static task
static1
Behavioral task
behavioral1
Sample
15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe
Resource
win10v2004-en-20220113
General
-
Target
15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe
-
Size
36KB
-
MD5
9844f5d1f6dc5a42541700b101439667
-
SHA1
d5ca15921e32425b60b1df9e8b7d5aea94c3be0e
-
SHA256
15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1
-
SHA512
8458bde669af89e0b763404cb1bc23e7a6b82c53b83a88f81d5a292a57400716f4cc0c70ee54bd8c88c27946d9083912758e75ee82ffe8be828cef167290bf4a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1480 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 512 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exepid process 1748 15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe 1748 15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exedescription pid process Token: SeIncBasePriorityPrivilege 1748 15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.execmd.exedescription pid process target process PID 1748 wrote to memory of 1480 1748 15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe MediaCenter.exe PID 1748 wrote to memory of 1480 1748 15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe MediaCenter.exe PID 1748 wrote to memory of 1480 1748 15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe MediaCenter.exe PID 1748 wrote to memory of 1480 1748 15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe MediaCenter.exe PID 1748 wrote to memory of 512 1748 15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe cmd.exe PID 1748 wrote to memory of 512 1748 15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe cmd.exe PID 1748 wrote to memory of 512 1748 15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe cmd.exe PID 1748 wrote to memory of 512 1748 15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe cmd.exe PID 512 wrote to memory of 1028 512 cmd.exe PING.EXE PID 512 wrote to memory of 1028 512 cmd.exe PING.EXE PID 512 wrote to memory of 1028 512 cmd.exe PING.EXE PID 512 wrote to memory of 1028 512 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe"C:\Users\Admin\AppData\Local\Temp\15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15fd8ff16e7e3e4c1b8a3712282a71c28d296fd4b6585040c129bcd1e6ba06b1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c9739dd74fdaa44269c369e3d4f5634f
SHA1ec3a70709dea07de00892c4480260bb2cc70cd9a
SHA25657a7c75378148c35254ea6b73c87f05cbe72bcfd64ccdcae513d3a942bae37be
SHA512f91b018e37d5d045c4d14436c8d7a1ce735b83306aa60919de0227cce058ecd45666e42a0d9626c646f1c275bec9c75d4f499a4297b95f10c0aa6db6536cbfe8
-
MD5
c9739dd74fdaa44269c369e3d4f5634f
SHA1ec3a70709dea07de00892c4480260bb2cc70cd9a
SHA25657a7c75378148c35254ea6b73c87f05cbe72bcfd64ccdcae513d3a942bae37be
SHA512f91b018e37d5d045c4d14436c8d7a1ce735b83306aa60919de0227cce058ecd45666e42a0d9626c646f1c275bec9c75d4f499a4297b95f10c0aa6db6536cbfe8
-
MD5
c9739dd74fdaa44269c369e3d4f5634f
SHA1ec3a70709dea07de00892c4480260bb2cc70cd9a
SHA25657a7c75378148c35254ea6b73c87f05cbe72bcfd64ccdcae513d3a942bae37be
SHA512f91b018e37d5d045c4d14436c8d7a1ce735b83306aa60919de0227cce058ecd45666e42a0d9626c646f1c275bec9c75d4f499a4297b95f10c0aa6db6536cbfe8