Analysis
-
max time kernel
117s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:41
Static task
static1
Behavioral task
behavioral1
Sample
14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe
Resource
win10v2004-en-20220112
General
-
Target
14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe
-
Size
36KB
-
MD5
def6a878a0eeb81ce0447437ff4460cb
-
SHA1
5dff2632a06fded661e80ab6950bf8108bbafa64
-
SHA256
14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812
-
SHA512
8e195899cd1589d415211f1ac85343df7311daf8d76c6433f29b6f65dc92deabc83f2750d3cf7f9fcd1751a7c99604c898d71a599d32cb45a167731817fce891
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 964 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exepid process 1520 14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe 1520 14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exedescription pid process Token: SeIncBasePriorityPrivilege 1520 14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.execmd.exedescription pid process target process PID 1520 wrote to memory of 964 1520 14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe MediaCenter.exe PID 1520 wrote to memory of 964 1520 14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe MediaCenter.exe PID 1520 wrote to memory of 964 1520 14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe MediaCenter.exe PID 1520 wrote to memory of 964 1520 14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe MediaCenter.exe PID 1520 wrote to memory of 396 1520 14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe cmd.exe PID 1520 wrote to memory of 396 1520 14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe cmd.exe PID 1520 wrote to memory of 396 1520 14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe cmd.exe PID 1520 wrote to memory of 396 1520 14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe cmd.exe PID 396 wrote to memory of 1144 396 cmd.exe PING.EXE PID 396 wrote to memory of 1144 396 cmd.exe PING.EXE PID 396 wrote to memory of 1144 396 cmd.exe PING.EXE PID 396 wrote to memory of 1144 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe"C:\Users\Admin\AppData\Local\Temp\14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14cf2be24c452a873c90c1b8a5d511db15abdb74c5166be11fb11ea75cbe2812.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
da80ac6407ee2adc7578cfa9dac8dc3b
SHA19cf3ec1468a61fb89b3357a8805345508d8dcad8
SHA25684cc0809702e8bb3631a0c76fa2a312175a9262a5d584cc157f69fa6f62ac99b
SHA512852303f8f7e177b541fe627a696f33931b09a7a91920e29d3ba75fcf36019f2bd0fb4425994c865903331191da14f7d4c462a081defde8b54a34f9eac32b19ca
-
MD5
da80ac6407ee2adc7578cfa9dac8dc3b
SHA19cf3ec1468a61fb89b3357a8805345508d8dcad8
SHA25684cc0809702e8bb3631a0c76fa2a312175a9262a5d584cc157f69fa6f62ac99b
SHA512852303f8f7e177b541fe627a696f33931b09a7a91920e29d3ba75fcf36019f2bd0fb4425994c865903331191da14f7d4c462a081defde8b54a34f9eac32b19ca
-
MD5
da80ac6407ee2adc7578cfa9dac8dc3b
SHA19cf3ec1468a61fb89b3357a8805345508d8dcad8
SHA25684cc0809702e8bb3631a0c76fa2a312175a9262a5d584cc157f69fa6f62ac99b
SHA512852303f8f7e177b541fe627a696f33931b09a7a91920e29d3ba75fcf36019f2bd0fb4425994c865903331191da14f7d4c462a081defde8b54a34f9eac32b19ca