Analysis
-
max time kernel
117s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:13
Static task
static1
Behavioral task
behavioral1
Sample
15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe
Resource
win10v2004-en-20220113
General
-
Target
15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe
-
Size
60KB
-
MD5
1dbe9a95d23761f8a22abc059c6ce8a3
-
SHA1
a5f3d145e3510735bd9515f75eceb64edc1caf8a
-
SHA256
15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4
-
SHA512
ac745d50ab90235aa403a9ea39269d45b22cb6ba3a87d8d03c6ffa752b0eb7355bb158055d31aadee453126fbd7e5c439c54e6b8932e8d0faa2d2dc1f8f3310e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1072 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1980 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exepid process 964 15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe 964 15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exedescription pid process Token: SeIncBasePriorityPrivilege 964 15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.execmd.exedescription pid process target process PID 964 wrote to memory of 1072 964 15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe MediaCenter.exe PID 964 wrote to memory of 1072 964 15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe MediaCenter.exe PID 964 wrote to memory of 1072 964 15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe MediaCenter.exe PID 964 wrote to memory of 1072 964 15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe MediaCenter.exe PID 964 wrote to memory of 1980 964 15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe cmd.exe PID 964 wrote to memory of 1980 964 15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe cmd.exe PID 964 wrote to memory of 1980 964 15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe cmd.exe PID 964 wrote to memory of 1980 964 15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe cmd.exe PID 1980 wrote to memory of 1964 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1964 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1964 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1964 1980 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe"C:\Users\Admin\AppData\Local\Temp\15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15c38b4d62ef356e30a282155b77a3d28a7f4df3729cd49fae439c8ff15989b4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
81fd420496c1ea72ef0d386275746c2e
SHA1e496513026dfe6b603494607c3494f46a322a828
SHA256c19c53f0e67b81a3de34f25384d019473b16211fa9044496d931fefa6f72183c
SHA512b556fc25dc33a7796a04beaebdef66424e6ae1f78c452323d662d38e243a4bd7243a9a3f5a8d1cdeba704589aada9db3711f903d2ebcd2cc7f2993813de8a1e4
-
MD5
81fd420496c1ea72ef0d386275746c2e
SHA1e496513026dfe6b603494607c3494f46a322a828
SHA256c19c53f0e67b81a3de34f25384d019473b16211fa9044496d931fefa6f72183c
SHA512b556fc25dc33a7796a04beaebdef66424e6ae1f78c452323d662d38e243a4bd7243a9a3f5a8d1cdeba704589aada9db3711f903d2ebcd2cc7f2993813de8a1e4
-
MD5
81fd420496c1ea72ef0d386275746c2e
SHA1e496513026dfe6b603494607c3494f46a322a828
SHA256c19c53f0e67b81a3de34f25384d019473b16211fa9044496d931fefa6f72183c
SHA512b556fc25dc33a7796a04beaebdef66424e6ae1f78c452323d662d38e243a4bd7243a9a3f5a8d1cdeba704589aada9db3711f903d2ebcd2cc7f2993813de8a1e4