Analysis
-
max time kernel
135s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:51
Static task
static1
Behavioral task
behavioral1
Sample
194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe
Resource
win10v2004-en-20220113
General
-
Target
194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe
-
Size
58KB
-
MD5
f92cefd120143642dec344b1ef274b66
-
SHA1
bd718fb5b00dd59ff62da41438ccdb1dc6ee108b
-
SHA256
194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e
-
SHA512
bde6931b9fe7e2c0bf817c9d3387086e9b85992cc9fede4fb5841acc1bade3a6fd943e09ea07fad9b2c8c50068303dbddd40e048beed79586b3199fe140925c2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4888 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4464 svchost.exe Token: SeCreatePagefilePrivilege 4464 svchost.exe Token: SeShutdownPrivilege 4464 svchost.exe Token: SeCreatePagefilePrivilege 4464 svchost.exe Token: SeShutdownPrivilege 4464 svchost.exe Token: SeCreatePagefilePrivilege 4464 svchost.exe Token: SeIncBasePriorityPrivilege 3068 194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.execmd.exedescription pid process target process PID 3068 wrote to memory of 4888 3068 194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe MediaCenter.exe PID 3068 wrote to memory of 4888 3068 194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe MediaCenter.exe PID 3068 wrote to memory of 4888 3068 194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe MediaCenter.exe PID 3068 wrote to memory of 4536 3068 194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe cmd.exe PID 3068 wrote to memory of 4536 3068 194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe cmd.exe PID 3068 wrote to memory of 4536 3068 194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe cmd.exe PID 4536 wrote to memory of 1512 4536 cmd.exe PING.EXE PID 4536 wrote to memory of 1512 4536 cmd.exe PING.EXE PID 4536 wrote to memory of 1512 4536 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe"C:\Users\Admin\AppData\Local\Temp\194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
eb4fb8ca3aec90e3bb5c089f531c78d4
SHA1bb2406bf951c12b33f58f590f3e9d07357aa74e6
SHA256152744251d66f678c4798482725567680460ae4ad4addc775046a8ed9bd33e6b
SHA51217207f81f8d63aa462790011047cdeba17d4d39968ab2a5e109836d6ba35c7a39f3404fbf5d10b400fc1555818781b85c09412cda786ecd45d6fe081bddd2bbf
-
MD5
eb4fb8ca3aec90e3bb5c089f531c78d4
SHA1bb2406bf951c12b33f58f590f3e9d07357aa74e6
SHA256152744251d66f678c4798482725567680460ae4ad4addc775046a8ed9bd33e6b
SHA51217207f81f8d63aa462790011047cdeba17d4d39968ab2a5e109836d6ba35c7a39f3404fbf5d10b400fc1555818781b85c09412cda786ecd45d6fe081bddd2bbf