Analysis
-
max time kernel
152s -
max time network
183s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:55
Static task
static1
Behavioral task
behavioral1
Sample
14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe
Resource
win10v2004-en-20220113
General
-
Target
14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe
-
Size
36KB
-
MD5
f11797239498a6cebd92f964b2b42912
-
SHA1
2f9d0702f042d97c13792f0591f405896c5c955d
-
SHA256
14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f
-
SHA512
690595e3f7548464c7419c6d81ab24bf36c7ef031e5fe2890e4d64b215957de2e374d5ba13ab60ab0f740c2d9be6a21240e86a780e6d5937cefd4b82309d825f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1628 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 960 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exepid process 1668 14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe 1668 14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exedescription pid process Token: SeIncBasePriorityPrivilege 1668 14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.execmd.exedescription pid process target process PID 1668 wrote to memory of 1628 1668 14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe MediaCenter.exe PID 1668 wrote to memory of 1628 1668 14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe MediaCenter.exe PID 1668 wrote to memory of 1628 1668 14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe MediaCenter.exe PID 1668 wrote to memory of 1628 1668 14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe MediaCenter.exe PID 1668 wrote to memory of 960 1668 14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe cmd.exe PID 1668 wrote to memory of 960 1668 14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe cmd.exe PID 1668 wrote to memory of 960 1668 14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe cmd.exe PID 1668 wrote to memory of 960 1668 14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe cmd.exe PID 960 wrote to memory of 780 960 cmd.exe PING.EXE PID 960 wrote to memory of 780 960 cmd.exe PING.EXE PID 960 wrote to memory of 780 960 cmd.exe PING.EXE PID 960 wrote to memory of 780 960 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe"C:\Users\Admin\AppData\Local\Temp\14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d835f3502125146d093665817a9a8161
SHA14f215327d647d085ceb2fa5f348796ee5bf8a543
SHA256b6cb167beaf9c3b5dae5d60eaf30c61a03a837e1ff6b0e66c2c039431579c2e0
SHA5128cfba566d4ae0dab97fa0a847f51aa0d57c2ba8b7f9fedc3cca34ee60bf98813c30935d52971d0bfb1948d7786cd3f29b2a59c08af1e1bd68f6f4d1fd2474787
-
MD5
d835f3502125146d093665817a9a8161
SHA14f215327d647d085ceb2fa5f348796ee5bf8a543
SHA256b6cb167beaf9c3b5dae5d60eaf30c61a03a837e1ff6b0e66c2c039431579c2e0
SHA5128cfba566d4ae0dab97fa0a847f51aa0d57c2ba8b7f9fedc3cca34ee60bf98813c30935d52971d0bfb1948d7786cd3f29b2a59c08af1e1bd68f6f4d1fd2474787
-
MD5
d835f3502125146d093665817a9a8161
SHA14f215327d647d085ceb2fa5f348796ee5bf8a543
SHA256b6cb167beaf9c3b5dae5d60eaf30c61a03a837e1ff6b0e66c2c039431579c2e0
SHA5128cfba566d4ae0dab97fa0a847f51aa0d57c2ba8b7f9fedc3cca34ee60bf98813c30935d52971d0bfb1948d7786cd3f29b2a59c08af1e1bd68f6f4d1fd2474787