Analysis
-
max time kernel
127s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:39
Static task
static1
Behavioral task
behavioral1
Sample
170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe
Resource
win10v2004-en-20220113
General
-
Target
170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe
-
Size
36KB
-
MD5
262d43923c588f4f86d48ca04b09bfc9
-
SHA1
fec215e62dd565a3f9265d397928fd0550c59b3a
-
SHA256
170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b
-
SHA512
ac73aaf2e8b2fc48f882d804eea4a8fa5d1f25442550c8c24deb170ad8e4097b9ccf2e02b4180f1260919ab1035b9a40569735588233829bb09e3b28238e82ed
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4824 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1424 svchost.exe Token: SeCreatePagefilePrivilege 1424 svchost.exe Token: SeShutdownPrivilege 1424 svchost.exe Token: SeCreatePagefilePrivilege 1424 svchost.exe Token: SeShutdownPrivilege 1424 svchost.exe Token: SeCreatePagefilePrivilege 1424 svchost.exe Token: SeIncBasePriorityPrivilege 3492 170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe Token: SeBackupPrivilege 2472 TiWorker.exe Token: SeRestorePrivilege 2472 TiWorker.exe Token: SeSecurityPrivilege 2472 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.execmd.exedescription pid process target process PID 3492 wrote to memory of 4824 3492 170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe MediaCenter.exe PID 3492 wrote to memory of 4824 3492 170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe MediaCenter.exe PID 3492 wrote to memory of 4824 3492 170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe MediaCenter.exe PID 3492 wrote to memory of 2052 3492 170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe cmd.exe PID 3492 wrote to memory of 2052 3492 170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe cmd.exe PID 3492 wrote to memory of 2052 3492 170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe cmd.exe PID 2052 wrote to memory of 4944 2052 cmd.exe PING.EXE PID 2052 wrote to memory of 4944 2052 cmd.exe PING.EXE PID 2052 wrote to memory of 4944 2052 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe"C:\Users\Admin\AppData\Local\Temp\170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\170a23278dd282a9e34bdbc3c3e02c7f0acb8572fbbc9074c1ec7184fe51119b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2472
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d5c2494a8094ae8bc4ca2477fc316659
SHA19120400606ff698872c11b3fc1408aa03ff8e5a0
SHA25660ccc47f79bc80860a13e14fe9a63cdbeb2432f9bad8606614a026c6815d8081
SHA512ff08ef00597367f0fb189f12552013114bb26f8aeaeda9a4b0f8b92405e2fde3c4e1b6690bf43ace5f174d4d09f8907bf54d92e92a31b8c34391e36af4b4c8cb
-
MD5
d5c2494a8094ae8bc4ca2477fc316659
SHA19120400606ff698872c11b3fc1408aa03ff8e5a0
SHA25660ccc47f79bc80860a13e14fe9a63cdbeb2432f9bad8606614a026c6815d8081
SHA512ff08ef00597367f0fb189f12552013114bb26f8aeaeda9a4b0f8b92405e2fde3c4e1b6690bf43ace5f174d4d09f8907bf54d92e92a31b8c34391e36af4b4c8cb