Analysis
-
max time kernel
144s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:14
Static task
static1
Behavioral task
behavioral1
Sample
15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe
Resource
win10v2004-en-20220113
General
-
Target
15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe
-
Size
35KB
-
MD5
4871b7d96c274f3388cb97ca7e788b1b
-
SHA1
99f5f4ff71cfe16307446b3ba797a5986b2cc1b5
-
SHA256
15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62
-
SHA512
67bf98f6c86087bb1c48aa9a8e5b420eb0fd8b36c8491e90b5ac0b30adf9d4660ed1f25921cba946ef9a3435020041b6331fd39b2f0f572fc59ca226db691a30
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1344 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 752 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exepid process 1632 15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe 1632 15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exedescription pid process Token: SeIncBasePriorityPrivilege 1632 15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.execmd.exedescription pid process target process PID 1632 wrote to memory of 1344 1632 15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe MediaCenter.exe PID 1632 wrote to memory of 1344 1632 15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe MediaCenter.exe PID 1632 wrote to memory of 1344 1632 15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe MediaCenter.exe PID 1632 wrote to memory of 1344 1632 15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe MediaCenter.exe PID 1632 wrote to memory of 752 1632 15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe cmd.exe PID 1632 wrote to memory of 752 1632 15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe cmd.exe PID 1632 wrote to memory of 752 1632 15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe cmd.exe PID 1632 wrote to memory of 752 1632 15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe cmd.exe PID 752 wrote to memory of 1432 752 cmd.exe PING.EXE PID 752 wrote to memory of 1432 752 cmd.exe PING.EXE PID 752 wrote to memory of 1432 752 cmd.exe PING.EXE PID 752 wrote to memory of 1432 752 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe"C:\Users\Admin\AppData\Local\Temp\15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15c3144f79e1ebb0137f419945c47f4b78f1ac89b891cef7789baf4cd39f8a62.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6b8e1519ed2985af15b2228a57290cdf
SHA195277b62e7cc4955ef0144a8928c424f8f11394f
SHA2562500258190a9652825f5c1ad6032e7311a446179c9ad09fe1ad7fd4fb058532a
SHA512b2d849274efa962f86c9ddfe5ad79ae65a12aa0da4f4c28129591acaff32d0d3c1d3e5462470cce7ec93e82a712f8e2a1ebdd8fae358ab028f5dac7d3577a98b
-
MD5
6b8e1519ed2985af15b2228a57290cdf
SHA195277b62e7cc4955ef0144a8928c424f8f11394f
SHA2562500258190a9652825f5c1ad6032e7311a446179c9ad09fe1ad7fd4fb058532a
SHA512b2d849274efa962f86c9ddfe5ad79ae65a12aa0da4f4c28129591acaff32d0d3c1d3e5462470cce7ec93e82a712f8e2a1ebdd8fae358ab028f5dac7d3577a98b
-
MD5
6b8e1519ed2985af15b2228a57290cdf
SHA195277b62e7cc4955ef0144a8928c424f8f11394f
SHA2562500258190a9652825f5c1ad6032e7311a446179c9ad09fe1ad7fd4fb058532a
SHA512b2d849274efa962f86c9ddfe5ad79ae65a12aa0da4f4c28129591acaff32d0d3c1d3e5462470cce7ec93e82a712f8e2a1ebdd8fae358ab028f5dac7d3577a98b