Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:32
Static task
static1
Behavioral task
behavioral1
Sample
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe
Resource
win10v2004-en-20220113
General
-
Target
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe
-
Size
58KB
-
MD5
ee05a7b800720f11ca578650a9ffe380
-
SHA1
30708704c48cafe9f58196ce35bede267942a36f
-
SHA256
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591
-
SHA512
1f73705833d933a10dc84e79703b704b42200412f68ff183911e349ec3f4da4e65680565523f017258992a329c896912c17b02af0c613843ca90cc9394859ee9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1296 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2440 svchost.exe Token: SeCreatePagefilePrivilege 2440 svchost.exe Token: SeShutdownPrivilege 2440 svchost.exe Token: SeCreatePagefilePrivilege 2440 svchost.exe Token: SeShutdownPrivilege 2440 svchost.exe Token: SeCreatePagefilePrivilege 2440 svchost.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe Token: SeRestorePrivilege 1988 TiWorker.exe Token: SeSecurityPrivilege 1988 TiWorker.exe Token: SeBackupPrivilege 1988 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.execmd.exedescription pid process target process PID 1792 wrote to memory of 1296 1792 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe MediaCenter.exe PID 1792 wrote to memory of 1296 1792 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe MediaCenter.exe PID 1792 wrote to memory of 1296 1792 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe MediaCenter.exe PID 1792 wrote to memory of 1332 1792 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe cmd.exe PID 1792 wrote to memory of 1332 1792 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe cmd.exe PID 1792 wrote to memory of 1332 1792 1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe cmd.exe PID 1332 wrote to memory of 2280 1332 cmd.exe PING.EXE PID 1332 wrote to memory of 2280 1332 cmd.exe PING.EXE PID 1332 wrote to memory of 2280 1332 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe"C:\Users\Admin\AppData\Local\Temp\1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1769e9a90e18ad43e5444dc70b03c196f6d5e374f34dd6c6e1a9e0f23a39d591.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
83106d3aacd2e2e85327d6bdd1e32adb
SHA1385c7f355f24ab06645ea89afbce81d799856f36
SHA2568089975d93edacdf9deebc006c98f7e7b80b9f41a48b8789489094bf541db530
SHA512f17f5d0f8cd0dd7340a6ba4a9be2f1159c553f4aea34c4f9516b6dd1b69dd6d9693b89dde1dc2606e1545fbc2d6d70c0615a6594dafd9e8ffcaac4098266b3ea
-
MD5
83106d3aacd2e2e85327d6bdd1e32adb
SHA1385c7f355f24ab06645ea89afbce81d799856f36
SHA2568089975d93edacdf9deebc006c98f7e7b80b9f41a48b8789489094bf541db530
SHA512f17f5d0f8cd0dd7340a6ba4a9be2f1159c553f4aea34c4f9516b6dd1b69dd6d9693b89dde1dc2606e1545fbc2d6d70c0615a6594dafd9e8ffcaac4098266b3ea