Analysis
-
max time kernel
140s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:12
Static task
static1
Behavioral task
behavioral1
Sample
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe
Resource
win10v2004-en-20220112
General
-
Target
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe
-
Size
36KB
-
MD5
2799d8c94d56a47f357d5994d0267a84
-
SHA1
b41132aff85ebc5c7a3b2f9915deb5d7d216f4f3
-
SHA256
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07
-
SHA512
4e8cd7b9ed6cf96a6ae89c069598c5cc2b2a63df61712c1e60174d2ec7c1f2ba4b62a14875621e8d9d6b0952f2c4b4bd537d931c9e64346dd52462fc36b7d93e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1680 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1816 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exepid process 1592 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe 1592 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.execmd.exedescription pid process target process PID 1592 wrote to memory of 1680 1592 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe MediaCenter.exe PID 1592 wrote to memory of 1680 1592 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe MediaCenter.exe PID 1592 wrote to memory of 1680 1592 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe MediaCenter.exe PID 1592 wrote to memory of 1680 1592 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe MediaCenter.exe PID 1592 wrote to memory of 1816 1592 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe cmd.exe PID 1592 wrote to memory of 1816 1592 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe cmd.exe PID 1592 wrote to memory of 1816 1592 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe cmd.exe PID 1592 wrote to memory of 1816 1592 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe cmd.exe PID 1816 wrote to memory of 436 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 436 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 436 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 436 1816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe"C:\Users\Admin\AppData\Local\Temp\15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:436
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f4326b9b96a2d6d6eca1847b7d25c044
SHA16adf1bfa3c86b7f3f9c9a71eb2ae35db79935e86
SHA256d464b4fce2f929be8101d0d07d4463f8e4b2282d599db344d40978d3fe1f8428
SHA5125caad8933edb0c44646d16396bf4b6c3794e5be02b0a2a99c9c784ef380d9032c7281826e885c668c760a681d3e50313f65038c80ed030a565cc84e7f33d0eb8
-
MD5
f4326b9b96a2d6d6eca1847b7d25c044
SHA16adf1bfa3c86b7f3f9c9a71eb2ae35db79935e86
SHA256d464b4fce2f929be8101d0d07d4463f8e4b2282d599db344d40978d3fe1f8428
SHA5125caad8933edb0c44646d16396bf4b6c3794e5be02b0a2a99c9c784ef380d9032c7281826e885c668c760a681d3e50313f65038c80ed030a565cc84e7f33d0eb8
-
MD5
f4326b9b96a2d6d6eca1847b7d25c044
SHA16adf1bfa3c86b7f3f9c9a71eb2ae35db79935e86
SHA256d464b4fce2f929be8101d0d07d4463f8e4b2282d599db344d40978d3fe1f8428
SHA5125caad8933edb0c44646d16396bf4b6c3794e5be02b0a2a99c9c784ef380d9032c7281826e885c668c760a681d3e50313f65038c80ed030a565cc84e7f33d0eb8