Analysis
-
max time kernel
125s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:37
Static task
static1
Behavioral task
behavioral1
Sample
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe
Resource
win10v2004-en-20220113
General
-
Target
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe
-
Size
36KB
-
MD5
98b7e6a2cd93decea71d84f4ba29194e
-
SHA1
f1b03589d35cf0d6aaae07474761246d3929647c
-
SHA256
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c
-
SHA512
ff23d0728812ec517a0c2be22204b6d668719bf04a29329bc2429826e1a20e7fe9e55067ab84b8e8322a8feb0def25f896835dbbf981c41975db0dc03ae2b5e6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1236 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 5012 svchost.exe Token: SeCreatePagefilePrivilege 5012 svchost.exe Token: SeShutdownPrivilege 5012 svchost.exe Token: SeCreatePagefilePrivilege 5012 svchost.exe Token: SeShutdownPrivilege 5012 svchost.exe Token: SeCreatePagefilePrivilege 5012 svchost.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe Token: SeRestorePrivilege 5060 TiWorker.exe Token: SeSecurityPrivilege 5060 TiWorker.exe Token: SeBackupPrivilege 5060 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.execmd.exedescription pid process target process PID 956 wrote to memory of 1236 956 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe MediaCenter.exe PID 956 wrote to memory of 1236 956 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe MediaCenter.exe PID 956 wrote to memory of 1236 956 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe MediaCenter.exe PID 956 wrote to memory of 2388 956 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe cmd.exe PID 956 wrote to memory of 2388 956 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe cmd.exe PID 956 wrote to memory of 2388 956 172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe cmd.exe PID 2388 wrote to memory of 704 2388 cmd.exe PING.EXE PID 2388 wrote to memory of 704 2388 cmd.exe PING.EXE PID 2388 wrote to memory of 704 2388 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe"C:\Users\Admin\AppData\Local\Temp\172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\172d98f98740f9cf2dfdd6392f941402cffa240a6ab0d7594594e818deea8a8c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8202aaf2456c337314f9b657c3f4b519
SHA186ead074c36e6bbfc91b9cb9cec257a2ff5e1ba2
SHA2562c1304fe7d7ec1c8afc4320aacd589d87d1659f1ae1caf2ad1e0f01edc551363
SHA512685dcabf8e77800fc0acd267391971428f1a90fe8cb0b216acbb9f460932349d3d5dd2ac4ed10c52f40f4dc4aaf5653ebce53d59b6033d85b977d6ccbeb61179
-
MD5
8202aaf2456c337314f9b657c3f4b519
SHA186ead074c36e6bbfc91b9cb9cec257a2ff5e1ba2
SHA2562c1304fe7d7ec1c8afc4320aacd589d87d1659f1ae1caf2ad1e0f01edc551363
SHA512685dcabf8e77800fc0acd267391971428f1a90fe8cb0b216acbb9f460932349d3d5dd2ac4ed10c52f40f4dc4aaf5653ebce53d59b6033d85b977d6ccbeb61179