Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:42
Static task
static1
Behavioral task
behavioral1
Sample
14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe
Resource
win10v2004-en-20220113
General
-
Target
14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe
-
Size
35KB
-
MD5
ca0283db2eb9096d7c8e122b62d5f435
-
SHA1
e1d6b1b5fb28615ab0c738b7d0cb6f28abd9abcd
-
SHA256
14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a
-
SHA512
3e1704b7d0e90dd3dc61022171d5f8549b5debd4931d6f15bdeb2c0525d3d784e34fb84865346c2bce20e88bc0d3bab306abeab637c159ca4f493417a2945a9d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1032 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 808 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exepid process 1592 14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe 1592 14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.execmd.exedescription pid process target process PID 1592 wrote to memory of 1032 1592 14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe MediaCenter.exe PID 1592 wrote to memory of 1032 1592 14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe MediaCenter.exe PID 1592 wrote to memory of 1032 1592 14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe MediaCenter.exe PID 1592 wrote to memory of 1032 1592 14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe MediaCenter.exe PID 1592 wrote to memory of 808 1592 14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe cmd.exe PID 1592 wrote to memory of 808 1592 14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe cmd.exe PID 1592 wrote to memory of 808 1592 14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe cmd.exe PID 1592 wrote to memory of 808 1592 14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe cmd.exe PID 808 wrote to memory of 1812 808 cmd.exe PING.EXE PID 808 wrote to memory of 1812 808 cmd.exe PING.EXE PID 808 wrote to memory of 1812 808 cmd.exe PING.EXE PID 808 wrote to memory of 1812 808 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe"C:\Users\Admin\AppData\Local\Temp\14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14c5f2812f12c2ddf45554649de1b2aca89db0c4ffe43415a11bb924f3b4342a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9d9ee7aeb18e068637f6e392776e3d8c
SHA15791ab6db1044656788eee1b1a71137a31531451
SHA2567c3306b85ed458004d83df0fe01125669e6710d4d42693a79131512a3cd0ae0d
SHA5124da443ad043c6ac5842aaff93d62723a44f9a58df6f679667915afebf55896aced14e23ab5df12c952d9ac9bac332c8ba89e193f6d48a42402076f7ad9b092f2
-
MD5
9d9ee7aeb18e068637f6e392776e3d8c
SHA15791ab6db1044656788eee1b1a71137a31531451
SHA2567c3306b85ed458004d83df0fe01125669e6710d4d42693a79131512a3cd0ae0d
SHA5124da443ad043c6ac5842aaff93d62723a44f9a58df6f679667915afebf55896aced14e23ab5df12c952d9ac9bac332c8ba89e193f6d48a42402076f7ad9b092f2
-
MD5
9d9ee7aeb18e068637f6e392776e3d8c
SHA15791ab6db1044656788eee1b1a71137a31531451
SHA2567c3306b85ed458004d83df0fe01125669e6710d4d42693a79131512a3cd0ae0d
SHA5124da443ad043c6ac5842aaff93d62723a44f9a58df6f679667915afebf55896aced14e23ab5df12c952d9ac9bac332c8ba89e193f6d48a42402076f7ad9b092f2