Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:42
Static task
static1
Behavioral task
behavioral1
Sample
14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe
Resource
win10v2004-en-20220112
General
-
Target
14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe
-
Size
36KB
-
MD5
3471bb17467370d6744dac020e63193d
-
SHA1
3da121f057cc9bbe6dd82ff4a854249148c9483d
-
SHA256
14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80
-
SHA512
aec3e8780cb8a59558188773e98207daa01c453dc270c8aa6d3afc6d67195783eba5d2b165b8b257ec617674c73682e3f794f813a1399ae353cfa640cb357ab4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 964 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1324 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exepid process 1844 14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe 1844 14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exedescription pid process Token: SeIncBasePriorityPrivilege 1844 14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.execmd.exedescription pid process target process PID 1844 wrote to memory of 964 1844 14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe MediaCenter.exe PID 1844 wrote to memory of 964 1844 14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe MediaCenter.exe PID 1844 wrote to memory of 964 1844 14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe MediaCenter.exe PID 1844 wrote to memory of 964 1844 14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe MediaCenter.exe PID 1844 wrote to memory of 1324 1844 14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe cmd.exe PID 1844 wrote to memory of 1324 1844 14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe cmd.exe PID 1844 wrote to memory of 1324 1844 14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe cmd.exe PID 1844 wrote to memory of 1324 1844 14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe cmd.exe PID 1324 wrote to memory of 1992 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 1992 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 1992 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 1992 1324 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe"C:\Users\Admin\AppData\Local\Temp\14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14c15011d5c84515b0d6b49428ec5b1cd9cb36d644b40f1d19c55d4878034d80.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0439f9b3196d397bc76386ae230a2b5b
SHA1eb3b6f0ccd76b29cf3107499740e9fe8371e671a
SHA256b25d82ae5ee3ce3523be5e39eb09e8ee09d668ef42941563ea5212c7f4a315ec
SHA5127450a8c92cbe07f379f99d10cab13e692cbf4e673ac763514606fb8e3f7da3789f3eb6e873770adcea32e3cafaad50addbaa2537df8b084257cefaf4b48893bc
-
MD5
0439f9b3196d397bc76386ae230a2b5b
SHA1eb3b6f0ccd76b29cf3107499740e9fe8371e671a
SHA256b25d82ae5ee3ce3523be5e39eb09e8ee09d668ef42941563ea5212c7f4a315ec
SHA5127450a8c92cbe07f379f99d10cab13e692cbf4e673ac763514606fb8e3f7da3789f3eb6e873770adcea32e3cafaad50addbaa2537df8b084257cefaf4b48893bc
-
MD5
0439f9b3196d397bc76386ae230a2b5b
SHA1eb3b6f0ccd76b29cf3107499740e9fe8371e671a
SHA256b25d82ae5ee3ce3523be5e39eb09e8ee09d668ef42941563ea5212c7f4a315ec
SHA5127450a8c92cbe07f379f99d10cab13e692cbf4e673ac763514606fb8e3f7da3789f3eb6e873770adcea32e3cafaad50addbaa2537df8b084257cefaf4b48893bc