Analysis
-
max time kernel
128s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:07
Static task
static1
Behavioral task
behavioral1
Sample
10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe
Resource
win10v2004-en-20220112
General
-
Target
10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe
-
Size
60KB
-
MD5
539e2c76ce632ef959e17b4c6e52ac72
-
SHA1
b4e8844de8208c1f9b18c03f0c9fe9f93c5abce6
-
SHA256
10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c
-
SHA512
c4c8e09e6dc1da1db22c1b23f2281e037ebe09004d2be5b83d2362d2a8e2303c76c8f59c0e74ec03add00b6261af646c61145d8a575e79c0a9b9478fe60c40fb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 944 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1952 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exepid process 1704 10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe 1704 10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exedescription pid process Token: SeIncBasePriorityPrivilege 1704 10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.execmd.exedescription pid process target process PID 1704 wrote to memory of 944 1704 10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe MediaCenter.exe PID 1704 wrote to memory of 1952 1704 10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe cmd.exe PID 1704 wrote to memory of 1952 1704 10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe cmd.exe PID 1704 wrote to memory of 1952 1704 10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe cmd.exe PID 1704 wrote to memory of 1952 1704 10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe cmd.exe PID 1952 wrote to memory of 1096 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1096 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1096 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1096 1952 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe"C:\Users\Admin\AppData\Local\Temp\10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10d15f3cdcc378493ee1fa1721186344edd1515ed9d96870364dfaac165db30c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4984ac4e56fcbcae54109014f5386593
SHA147981733d21a946f90b77d0807279d78e5999bac
SHA256d5e30fd39788c8b91df7b223610d76635ecba1fa4dd418ef45240c222064658f
SHA5127669aa2fb8d3b7437dfa7ef5cc133443b2f4a7fd0e71e2e8dc1b0300c38cb93631553867f2cbdef0c64bd7ace037e4886a712e545119032fe543a42343266868
-
MD5
4984ac4e56fcbcae54109014f5386593
SHA147981733d21a946f90b77d0807279d78e5999bac
SHA256d5e30fd39788c8b91df7b223610d76635ecba1fa4dd418ef45240c222064658f
SHA5127669aa2fb8d3b7437dfa7ef5cc133443b2f4a7fd0e71e2e8dc1b0300c38cb93631553867f2cbdef0c64bd7ace037e4886a712e545119032fe543a42343266868
-
MD5
4984ac4e56fcbcae54109014f5386593
SHA147981733d21a946f90b77d0807279d78e5999bac
SHA256d5e30fd39788c8b91df7b223610d76635ecba1fa4dd418ef45240c222064658f
SHA5127669aa2fb8d3b7437dfa7ef5cc133443b2f4a7fd0e71e2e8dc1b0300c38cb93631553867f2cbdef0c64bd7ace037e4886a712e545119032fe543a42343266868