Analysis
-
max time kernel
121s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:17
Static task
static1
Behavioral task
behavioral1
Sample
15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe
Resource
win10v2004-en-20220112
General
-
Target
15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe
-
Size
58KB
-
MD5
066a5f61b3edde9e21e4149210c4f72b
-
SHA1
236256f15197904f27dbda051796a560561a382c
-
SHA256
15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc
-
SHA512
9c180d89db440a8ff905c2922e18ff54309bd98c8ae3e012536b5d4db8896dd8c404896dde5c13d2670a2dc5f584cb2d7a50606fe66b9ca320ce0182055fa9b5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 304 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1696 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exepid process 1772 15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe 1772 15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exedescription pid process Token: SeIncBasePriorityPrivilege 1772 15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.execmd.exedescription pid process target process PID 1772 wrote to memory of 304 1772 15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe MediaCenter.exe PID 1772 wrote to memory of 304 1772 15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe MediaCenter.exe PID 1772 wrote to memory of 304 1772 15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe MediaCenter.exe PID 1772 wrote to memory of 304 1772 15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe MediaCenter.exe PID 1772 wrote to memory of 1696 1772 15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe cmd.exe PID 1772 wrote to memory of 1696 1772 15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe cmd.exe PID 1772 wrote to memory of 1696 1772 15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe cmd.exe PID 1772 wrote to memory of 1696 1772 15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe cmd.exe PID 1696 wrote to memory of 1084 1696 cmd.exe PING.EXE PID 1696 wrote to memory of 1084 1696 cmd.exe PING.EXE PID 1696 wrote to memory of 1084 1696 cmd.exe PING.EXE PID 1696 wrote to memory of 1084 1696 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe"C:\Users\Admin\AppData\Local\Temp\15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15a0e292d606ee3f89dc3041a4c2bc35de5cc5c6752da48b7ac9d5ae20fd47cc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
32ee84af1a85a0803e05ed54ef405ca7
SHA1824db6016366f8075684e144b0e529f3e8ce6eec
SHA256cebd368a309f2362f8f162a684b60a6d0a20d4b78c1e7f7e391d3b8705a31fda
SHA5123777cdfbea2e4f4741a05f46117f923f3bc966e5f3095bd0bf1e3a75d34d9784fae1828d3bf684724185178886e1b917273b18c61a53670244e2b6e162432121
-
MD5
32ee84af1a85a0803e05ed54ef405ca7
SHA1824db6016366f8075684e144b0e529f3e8ce6eec
SHA256cebd368a309f2362f8f162a684b60a6d0a20d4b78c1e7f7e391d3b8705a31fda
SHA5123777cdfbea2e4f4741a05f46117f923f3bc966e5f3095bd0bf1e3a75d34d9784fae1828d3bf684724185178886e1b917273b18c61a53670244e2b6e162432121
-
MD5
32ee84af1a85a0803e05ed54ef405ca7
SHA1824db6016366f8075684e144b0e529f3e8ce6eec
SHA256cebd368a309f2362f8f162a684b60a6d0a20d4b78c1e7f7e391d3b8705a31fda
SHA5123777cdfbea2e4f4741a05f46117f923f3bc966e5f3095bd0bf1e3a75d34d9784fae1828d3bf684724185178886e1b917273b18c61a53670244e2b6e162432121