Analysis
-
max time kernel
153s -
max time network
189s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:46
Static task
static1
Behavioral task
behavioral1
Sample
14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe
Resource
win10v2004-en-20220113
General
-
Target
14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe
-
Size
60KB
-
MD5
bc19c51db81793b2c069c2369b2e6490
-
SHA1
a5281304bed654ed0902640b21e0b347191e565c
-
SHA256
14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98
-
SHA512
ec2313f3a986e38d1e601ab1f13d45af755809c33518cd6a1f122df43d183f5537858b3718889dd254698198b6cea51f6fbd2ddcbf3f8897d2e41fa8f5f7c297
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1604 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1456 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exepid process 964 14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe 964 14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exedescription pid process Token: SeIncBasePriorityPrivilege 964 14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.execmd.exedescription pid process target process PID 964 wrote to memory of 1604 964 14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe MediaCenter.exe PID 964 wrote to memory of 1604 964 14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe MediaCenter.exe PID 964 wrote to memory of 1604 964 14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe MediaCenter.exe PID 964 wrote to memory of 1604 964 14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe MediaCenter.exe PID 964 wrote to memory of 1456 964 14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe cmd.exe PID 964 wrote to memory of 1456 964 14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe cmd.exe PID 964 wrote to memory of 1456 964 14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe cmd.exe PID 964 wrote to memory of 1456 964 14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe cmd.exe PID 1456 wrote to memory of 1572 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 1572 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 1572 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 1572 1456 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe"C:\Users\Admin\AppData\Local\Temp\14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14783b438b9d28400e9f51a8e341e9256aa0c9e6fb048eda3928d00a7c05bf98.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1572
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fd6a9f916e99d9af13de1c4172de4724
SHA13aef48a9d79af1bb22eb72c7078ef6d123439596
SHA256b8e62566d1ab5861e56d5b0bbf19efc0501ea0023446d362b9f178c39317dc73
SHA512603d067c30d7d74dd7bb0c41199cba35b041266555c43c6202fb0b1f7a79adb2b5bd8e7c751b3ade013ce9a8a70c807a29104ca5b74bf9ca550f836300d988b5
-
MD5
fd6a9f916e99d9af13de1c4172de4724
SHA13aef48a9d79af1bb22eb72c7078ef6d123439596
SHA256b8e62566d1ab5861e56d5b0bbf19efc0501ea0023446d362b9f178c39317dc73
SHA512603d067c30d7d74dd7bb0c41199cba35b041266555c43c6202fb0b1f7a79adb2b5bd8e7c751b3ade013ce9a8a70c807a29104ca5b74bf9ca550f836300d988b5
-
MD5
fd6a9f916e99d9af13de1c4172de4724
SHA13aef48a9d79af1bb22eb72c7078ef6d123439596
SHA256b8e62566d1ab5861e56d5b0bbf19efc0501ea0023446d362b9f178c39317dc73
SHA512603d067c30d7d74dd7bb0c41199cba35b041266555c43c6202fb0b1f7a79adb2b5bd8e7c751b3ade013ce9a8a70c807a29104ca5b74bf9ca550f836300d988b5