Analysis
-
max time kernel
122s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:40
Static task
static1
Behavioral task
behavioral1
Sample
14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe
Resource
win10v2004-en-20220113
General
-
Target
14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe
-
Size
35KB
-
MD5
64cba6f2cb8580cd00bda32d2ed36b03
-
SHA1
ba4a2eb93517ed9d496bd5794886740b4e58e4cf
-
SHA256
14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7
-
SHA512
e8e4b741d98142d439e716623633a81c6137840127eb2dd2ca081f4f03401e760bb0c7b5a91022a72bf6037fd57fa8c61d48488ed7102b4457fa586753479e55
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1524 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1816 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exepid process 1712 14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe 1712 14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exedescription pid process Token: SeIncBasePriorityPrivilege 1712 14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.execmd.exedescription pid process target process PID 1712 wrote to memory of 1524 1712 14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe MediaCenter.exe PID 1712 wrote to memory of 1524 1712 14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe MediaCenter.exe PID 1712 wrote to memory of 1524 1712 14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe MediaCenter.exe PID 1712 wrote to memory of 1524 1712 14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe MediaCenter.exe PID 1712 wrote to memory of 1816 1712 14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe cmd.exe PID 1712 wrote to memory of 1816 1712 14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe cmd.exe PID 1712 wrote to memory of 1816 1712 14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe cmd.exe PID 1712 wrote to memory of 1816 1712 14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe cmd.exe PID 1816 wrote to memory of 428 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 428 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 428 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 428 1816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe"C:\Users\Admin\AppData\Local\Temp\14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14dc30c9fed1f019f7afb2ab6deabd413bff030f2cbff0d1f5f4924801d9e4a7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
97f96aede8f99e1562370719b9ddbe36
SHA126a0ce56847fe9f46789ae7b0c0dce54f993a7e2
SHA2568f0aede71916778083f620e5b8b79c2109c97353b17b7e24a18cc6243d9c8c71
SHA5125096c600983c689e92f305eb423bc6767e0f96125d5b2e32bed8d046241729be572827ff42cfa338b8f93e1adda47810c4216f2cd1acd16f089b490f41282cb0
-
MD5
97f96aede8f99e1562370719b9ddbe36
SHA126a0ce56847fe9f46789ae7b0c0dce54f993a7e2
SHA2568f0aede71916778083f620e5b8b79c2109c97353b17b7e24a18cc6243d9c8c71
SHA5125096c600983c689e92f305eb423bc6767e0f96125d5b2e32bed8d046241729be572827ff42cfa338b8f93e1adda47810c4216f2cd1acd16f089b490f41282cb0
-
MD5
97f96aede8f99e1562370719b9ddbe36
SHA126a0ce56847fe9f46789ae7b0c0dce54f993a7e2
SHA2568f0aede71916778083f620e5b8b79c2109c97353b17b7e24a18cc6243d9c8c71
SHA5125096c600983c689e92f305eb423bc6767e0f96125d5b2e32bed8d046241729be572827ff42cfa338b8f93e1adda47810c4216f2cd1acd16f089b490f41282cb0