Analysis
-
max time kernel
125s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:34
Static task
static1
Behavioral task
behavioral1
Sample
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe
Resource
win10v2004-en-20220113
General
-
Target
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe
-
Size
60KB
-
MD5
45e06e9c8d003437f143609c4abb8010
-
SHA1
7dc81e173698acffcc56078bbc6ab3cba357744e
-
SHA256
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827
-
SHA512
d8f892eda8222a44e1f85e1f7114d7f569fb24a4006c64024adf223edddb29f13246089eee74fa6dcf4358c6b49677ff568503c5bb78a4cdd8f226839f13d508
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1460 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exedescription pid process Token: SeShutdownPrivilege 4380 svchost.exe Token: SeCreatePagefilePrivilege 4380 svchost.exe Token: SeShutdownPrivilege 4380 svchost.exe Token: SeCreatePagefilePrivilege 4380 svchost.exe Token: SeShutdownPrivilege 4380 svchost.exe Token: SeCreatePagefilePrivilege 4380 svchost.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeIncBasePriorityPrivilege 3636 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.execmd.exedescription pid process target process PID 3636 wrote to memory of 1460 3636 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe MediaCenter.exe PID 3636 wrote to memory of 1460 3636 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe MediaCenter.exe PID 3636 wrote to memory of 1460 3636 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe MediaCenter.exe PID 3636 wrote to memory of 3208 3636 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe cmd.exe PID 3636 wrote to memory of 3208 3636 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe cmd.exe PID 3636 wrote to memory of 3208 3636 174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe cmd.exe PID 3208 wrote to memory of 3768 3208 cmd.exe PING.EXE PID 3208 wrote to memory of 3768 3208 cmd.exe PING.EXE PID 3208 wrote to memory of 3768 3208 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe"C:\Users\Admin\AppData\Local\Temp\174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\174334d2e7c1b019c07c2f497bf996ff72fcab4fbad0e02265866fb5f603f827.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5f928ff894dfe9b0d76ad22a46047666
SHA16c89ae9d8abd4a89211e62ff39974654d8c793e9
SHA2569038485bd2f8350c4828e95fd7b9af815014a66a6b1ba83ab0164aad94284697
SHA5121dfa3fd4a0961e82ae989d782eadfd4b7d87f1bdacc5ea12b0b2155a21417591324ad53c94d2ce00b9c21c489b54f58a50e5072acf4981c319eeba01f33ba68b
-
MD5
5f928ff894dfe9b0d76ad22a46047666
SHA16c89ae9d8abd4a89211e62ff39974654d8c793e9
SHA2569038485bd2f8350c4828e95fd7b9af815014a66a6b1ba83ab0164aad94284697
SHA5121dfa3fd4a0961e82ae989d782eadfd4b7d87f1bdacc5ea12b0b2155a21417591324ad53c94d2ce00b9c21c489b54f58a50e5072acf4981c319eeba01f33ba68b