Analysis
-
max time kernel
128s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:21
Static task
static1
Behavioral task
behavioral1
Sample
15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe
Resource
win10v2004-en-20220113
General
-
Target
15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe
-
Size
60KB
-
MD5
70db31f61225d99e9901ad985c1f46ed
-
SHA1
45e8bf27cdd07468007e4c8184a5c53abd61505b
-
SHA256
15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67
-
SHA512
f23b49a77aa63c8518be499714f19f3fa543c68968e22dc064143857862c17e917f9205e61979e06b378fdb553cde519953ed2e5e8b0cb9e4235e742dc758a5a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1600 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1912 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exepid process 1672 15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe 1672 15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.execmd.exedescription pid process target process PID 1672 wrote to memory of 1600 1672 15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe MediaCenter.exe PID 1672 wrote to memory of 1600 1672 15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe MediaCenter.exe PID 1672 wrote to memory of 1600 1672 15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe MediaCenter.exe PID 1672 wrote to memory of 1600 1672 15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe MediaCenter.exe PID 1672 wrote to memory of 1912 1672 15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe cmd.exe PID 1672 wrote to memory of 1912 1672 15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe cmd.exe PID 1672 wrote to memory of 1912 1672 15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe cmd.exe PID 1672 wrote to memory of 1912 1672 15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe cmd.exe PID 1912 wrote to memory of 1084 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 1084 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 1084 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 1084 1912 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe"C:\Users\Admin\AppData\Local\Temp\15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15749e6c5d482c1f9e3820530ccdff2b7c0e9e17260c79d2dcab212a3a019d67.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a912a2f587ae0aa29bbe37c6e9ba6bb4
SHA16a156abbd59c16df9b1c744a87264bf566e14c5b
SHA25640698a93799efadf79a1de8bd670857e41759d56a726e13c21e8880d70a92b48
SHA512be2f213cb8bdd46f776a87ac68119e813e1213cbca74b92178498e297ee04858c6b20542b11fd309933b059d4cc41f176bb9ee3bc1f30ce8ff069b867ea895ba
-
MD5
a912a2f587ae0aa29bbe37c6e9ba6bb4
SHA16a156abbd59c16df9b1c744a87264bf566e14c5b
SHA25640698a93799efadf79a1de8bd670857e41759d56a726e13c21e8880d70a92b48
SHA512be2f213cb8bdd46f776a87ac68119e813e1213cbca74b92178498e297ee04858c6b20542b11fd309933b059d4cc41f176bb9ee3bc1f30ce8ff069b867ea895ba
-
MD5
a912a2f587ae0aa29bbe37c6e9ba6bb4
SHA16a156abbd59c16df9b1c744a87264bf566e14c5b
SHA25640698a93799efadf79a1de8bd670857e41759d56a726e13c21e8880d70a92b48
SHA512be2f213cb8bdd46f776a87ac68119e813e1213cbca74b92178498e297ee04858c6b20542b11fd309933b059d4cc41f176bb9ee3bc1f30ce8ff069b867ea895ba