Analysis
-
max time kernel
118s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:12
Static task
static1
Behavioral task
behavioral1
Sample
15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe
Resource
win10v2004-en-20220113
General
-
Target
15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe
-
Size
35KB
-
MD5
f07fa894cf75ab87a379dc058ef67059
-
SHA1
18f3505d60a7281348a650687834f4a3bf55d5ce
-
SHA256
15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37
-
SHA512
1b53b254d37e0ee4d874ba825539f7d7e5294fcffc0594e9a959b092c9a7a1e2c603f1de5788705ec49981758b32f3d9d58fc9e2716a81557a8f020358487360
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1000 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exepid process 1760 15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe 1760 15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exedescription pid process Token: SeIncBasePriorityPrivilege 1760 15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.execmd.exedescription pid process target process PID 1760 wrote to memory of 1608 1760 15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe MediaCenter.exe PID 1760 wrote to memory of 1608 1760 15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe MediaCenter.exe PID 1760 wrote to memory of 1608 1760 15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe MediaCenter.exe PID 1760 wrote to memory of 1608 1760 15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe MediaCenter.exe PID 1760 wrote to memory of 1000 1760 15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe cmd.exe PID 1760 wrote to memory of 1000 1760 15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe cmd.exe PID 1760 wrote to memory of 1000 1760 15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe cmd.exe PID 1760 wrote to memory of 1000 1760 15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe cmd.exe PID 1000 wrote to memory of 1876 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1876 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1876 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1876 1000 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe"C:\Users\Admin\AppData\Local\Temp\15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15cfd647eadc1c0836edb8052572b9e1cb5f43cce5d7d8643c1e64334c868a37.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
21154de2e6a25063a8a290b2237ee922
SHA12d4bb66c9df7fb51084881b8e315f6858a6adb82
SHA256513ba600045c065e9be4fc4ecec69206a9da2dcbbc435cab507131617668d979
SHA5122ea29e47309255c2fdfe220edf3ca154a602919bd30f20e7934d77c7601fb659e8da5ea3aee0808dbdf4db93260779924c6f3853b084372ed635357d80cc3a1c
-
MD5
21154de2e6a25063a8a290b2237ee922
SHA12d4bb66c9df7fb51084881b8e315f6858a6adb82
SHA256513ba600045c065e9be4fc4ecec69206a9da2dcbbc435cab507131617668d979
SHA5122ea29e47309255c2fdfe220edf3ca154a602919bd30f20e7934d77c7601fb659e8da5ea3aee0808dbdf4db93260779924c6f3853b084372ed635357d80cc3a1c
-
MD5
21154de2e6a25063a8a290b2237ee922
SHA12d4bb66c9df7fb51084881b8e315f6858a6adb82
SHA256513ba600045c065e9be4fc4ecec69206a9da2dcbbc435cab507131617668d979
SHA5122ea29e47309255c2fdfe220edf3ca154a602919bd30f20e7934d77c7601fb659e8da5ea3aee0808dbdf4db93260779924c6f3853b084372ed635357d80cc3a1c