Analysis
-
max time kernel
117s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:20
Static task
static1
Behavioral task
behavioral1
Sample
15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe
Resource
win10v2004-en-20220112
General
-
Target
15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe
-
Size
58KB
-
MD5
629d7568d5e323480598acd7f7679670
-
SHA1
45a2b1a92c54ceac814f63890bf1de7e44349155
-
SHA256
15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390
-
SHA512
ec94f7414c079ea57a553974c5f0de48fbff71315fd80d33716ff4ddd26b119fcd601f6d2241cd6ced1200846fe39e319c7bf920f442f33dda60d3618ccb5943
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1472 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exepid process 1396 15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe 1396 15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exedescription pid process Token: SeIncBasePriorityPrivilege 1396 15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.execmd.exedescription pid process target process PID 1396 wrote to memory of 1472 1396 15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe MediaCenter.exe PID 1396 wrote to memory of 1472 1396 15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe MediaCenter.exe PID 1396 wrote to memory of 1472 1396 15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe MediaCenter.exe PID 1396 wrote to memory of 1472 1396 15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe MediaCenter.exe PID 1396 wrote to memory of 432 1396 15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe cmd.exe PID 1396 wrote to memory of 432 1396 15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe cmd.exe PID 1396 wrote to memory of 432 1396 15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe cmd.exe PID 1396 wrote to memory of 432 1396 15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe cmd.exe PID 432 wrote to memory of 1140 432 cmd.exe PING.EXE PID 432 wrote to memory of 1140 432 cmd.exe PING.EXE PID 432 wrote to memory of 1140 432 cmd.exe PING.EXE PID 432 wrote to memory of 1140 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe"C:\Users\Admin\AppData\Local\Temp\15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15794af312d736e0ec89c9f7c39c219f0abe867bc10b7131f5ae9a2cf9feb390.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1d27a3d43d539b5e15ddf5e4846c73b5
SHA1bd4673acbeb618cf059bc6c9c91335da3081fb86
SHA256679cfc21b27de54bc34b8fc2b07b131de02375c9047850bd2be28570b93d6241
SHA5129016a4f8c8872858f283ca2aac87e7831e946a9e1e70a0930f1e5c65e5404d30dcafbd8f58c8410e1c1ad850331ab1b7c45bfd22e80615c012e3ab918755f12e
-
MD5
1d27a3d43d539b5e15ddf5e4846c73b5
SHA1bd4673acbeb618cf059bc6c9c91335da3081fb86
SHA256679cfc21b27de54bc34b8fc2b07b131de02375c9047850bd2be28570b93d6241
SHA5129016a4f8c8872858f283ca2aac87e7831e946a9e1e70a0930f1e5c65e5404d30dcafbd8f58c8410e1c1ad850331ab1b7c45bfd22e80615c012e3ab918755f12e
-
MD5
1d27a3d43d539b5e15ddf5e4846c73b5
SHA1bd4673acbeb618cf059bc6c9c91335da3081fb86
SHA256679cfc21b27de54bc34b8fc2b07b131de02375c9047850bd2be28570b93d6241
SHA5129016a4f8c8872858f283ca2aac87e7831e946a9e1e70a0930f1e5c65e5404d30dcafbd8f58c8410e1c1ad850331ab1b7c45bfd22e80615c012e3ab918755f12e