Analysis
-
max time kernel
133s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:42
Static task
static1
Behavioral task
behavioral1
Sample
14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe
Resource
win10v2004-en-20220113
General
-
Target
14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe
-
Size
36KB
-
MD5
a158c071229e741e3e692c58d4e5b255
-
SHA1
9d20952d67c44b9e25b8cc1a8448e3dc88d3d0de
-
SHA256
14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289
-
SHA512
6d2ea6ccec7bcc01000c38613a0b8d3674817af6b719b5b2222e0761ce3c75a6497535feebc6dadf6fd9f1a73641d71fee9ad1cfeff688a0a6c350302cb4c452
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1072 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1976 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exepid process 964 14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe 964 14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exedescription pid process Token: SeIncBasePriorityPrivilege 964 14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.execmd.exedescription pid process target process PID 964 wrote to memory of 1072 964 14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe MediaCenter.exe PID 964 wrote to memory of 1072 964 14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe MediaCenter.exe PID 964 wrote to memory of 1072 964 14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe MediaCenter.exe PID 964 wrote to memory of 1072 964 14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe MediaCenter.exe PID 964 wrote to memory of 1976 964 14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe cmd.exe PID 964 wrote to memory of 1976 964 14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe cmd.exe PID 964 wrote to memory of 1976 964 14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe cmd.exe PID 964 wrote to memory of 1976 964 14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe cmd.exe PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe"C:\Users\Admin\AppData\Local\Temp\14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14ba4a96cc237645949053be7b74705898307e79e3f12ac928f5c29ab2eee289.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5533c622fb92de79fd52a05e4513ac47
SHA170e33c7cd44ef45ecf72345bf2bf9cb2d30cca03
SHA256a5c007decbf7ae7a1831067601ab7803934eeb51da2039d3b6f75752c87e77ce
SHA51224fa2104506ea015dd41fefc862ea1ab92c25ded78635ac6d524631dc8b06451c5df5b8a890293c1acde2ef4a65274dcd831c72595b6685a4d1d07dee892a3a2
-
MD5
5533c622fb92de79fd52a05e4513ac47
SHA170e33c7cd44ef45ecf72345bf2bf9cb2d30cca03
SHA256a5c007decbf7ae7a1831067601ab7803934eeb51da2039d3b6f75752c87e77ce
SHA51224fa2104506ea015dd41fefc862ea1ab92c25ded78635ac6d524631dc8b06451c5df5b8a890293c1acde2ef4a65274dcd831c72595b6685a4d1d07dee892a3a2
-
MD5
5533c622fb92de79fd52a05e4513ac47
SHA170e33c7cd44ef45ecf72345bf2bf9cb2d30cca03
SHA256a5c007decbf7ae7a1831067601ab7803934eeb51da2039d3b6f75752c87e77ce
SHA51224fa2104506ea015dd41fefc862ea1ab92c25ded78635ac6d524631dc8b06451c5df5b8a890293c1acde2ef4a65274dcd831c72595b6685a4d1d07dee892a3a2