Analysis
-
max time kernel
162s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:16
Static task
static1
Behavioral task
behavioral1
Sample
15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe
Resource
win10v2004-en-20220112
General
-
Target
15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe
-
Size
36KB
-
MD5
495a1f269b8ebed73da700578db0e0ef
-
SHA1
55a9c807edfc1dca15defa82c0218e0c1aac8d48
-
SHA256
15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a
-
SHA512
1608302654fe2ac118d3973837b6084e3600bad954cfa26dd9d9762d2007191a82d36357d3e6ff0ff4e1acd98d5d7b7c76a58466ee17a8a2475c7a8f813fd568
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1924 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exepid process 1040 15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe 1040 15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exedescription pid process Token: SeIncBasePriorityPrivilege 1040 15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.execmd.exedescription pid process target process PID 1040 wrote to memory of 1924 1040 15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe MediaCenter.exe PID 1040 wrote to memory of 1924 1040 15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe MediaCenter.exe PID 1040 wrote to memory of 1924 1040 15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe MediaCenter.exe PID 1040 wrote to memory of 1924 1040 15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe MediaCenter.exe PID 1040 wrote to memory of 432 1040 15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe cmd.exe PID 1040 wrote to memory of 432 1040 15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe cmd.exe PID 1040 wrote to memory of 432 1040 15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe cmd.exe PID 1040 wrote to memory of 432 1040 15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe cmd.exe PID 432 wrote to memory of 1108 432 cmd.exe PING.EXE PID 432 wrote to memory of 1108 432 cmd.exe PING.EXE PID 432 wrote to memory of 1108 432 cmd.exe PING.EXE PID 432 wrote to memory of 1108 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe"C:\Users\Admin\AppData\Local\Temp\15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15a6601fa4ced52983761e49fa7d3b9c02a2eb69cca2b3396fb4d97b16abdf9a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c81ab44c363e7a8712379834cee3bdb7
SHA176b25d3a1cea53719c46d161852ffe8969ee5f14
SHA25696e8094d6bbd8eddc45c39f9bf5abcdd62ef0de87c23d8fcbec2c3f73aef9ad2
SHA512c38c0a311a494dff5b8f8961686a2f02f8bc56d438bcd1ca2aa5510ac39efb7d7dafb671a0effe9686fbe00e2161e86862bb295b6644dc22695664cd5f46c809
-
MD5
c81ab44c363e7a8712379834cee3bdb7
SHA176b25d3a1cea53719c46d161852ffe8969ee5f14
SHA25696e8094d6bbd8eddc45c39f9bf5abcdd62ef0de87c23d8fcbec2c3f73aef9ad2
SHA512c38c0a311a494dff5b8f8961686a2f02f8bc56d438bcd1ca2aa5510ac39efb7d7dafb671a0effe9686fbe00e2161e86862bb295b6644dc22695664cd5f46c809
-
MD5
c81ab44c363e7a8712379834cee3bdb7
SHA176b25d3a1cea53719c46d161852ffe8969ee5f14
SHA25696e8094d6bbd8eddc45c39f9bf5abcdd62ef0de87c23d8fcbec2c3f73aef9ad2
SHA512c38c0a311a494dff5b8f8961686a2f02f8bc56d438bcd1ca2aa5510ac39efb7d7dafb671a0effe9686fbe00e2161e86862bb295b6644dc22695664cd5f46c809