Analysis
-
max time kernel
136s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:55
Static task
static1
Behavioral task
behavioral1
Sample
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe
Resource
win10v2004-en-20220113
General
-
Target
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe
-
Size
58KB
-
MD5
a5a43634382a66b893f78d913adf3ffe
-
SHA1
7ace171a82f063c42dac67ce170fc366a1bfd9e8
-
SHA256
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316
-
SHA512
0a555ed95f236fcf5d404731d6a817cc5df73aed54f6985e79ee577a218d5808f767667c76ff024b7b42863aa847a13bca1ffbd801df452829049610341a8747
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2116 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1596 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe Token: SeShutdownPrivilege 4884 svchost.exe Token: SeCreatePagefilePrivilege 4884 svchost.exe Token: SeShutdownPrivilege 4884 svchost.exe Token: SeCreatePagefilePrivilege 4884 svchost.exe Token: SeShutdownPrivilege 4884 svchost.exe Token: SeCreatePagefilePrivilege 4884 svchost.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe Token: SeBackupPrivilege 4272 TiWorker.exe Token: SeRestorePrivilege 4272 TiWorker.exe Token: SeSecurityPrivilege 4272 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.execmd.exedescription pid process target process PID 1596 wrote to memory of 2116 1596 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe MediaCenter.exe PID 1596 wrote to memory of 2116 1596 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe MediaCenter.exe PID 1596 wrote to memory of 2116 1596 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe MediaCenter.exe PID 1596 wrote to memory of 4520 1596 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe cmd.exe PID 1596 wrote to memory of 4520 1596 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe cmd.exe PID 1596 wrote to memory of 4520 1596 191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe cmd.exe PID 4520 wrote to memory of 2624 4520 cmd.exe PING.EXE PID 4520 wrote to memory of 2624 4520 cmd.exe PING.EXE PID 4520 wrote to memory of 2624 4520 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe"C:\Users\Admin\AppData\Local\Temp\191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\191163d1953773e2ad950b48d85500f7a3b06c01fd13237cac33ea82a5b47316.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
82df13489bfd4da5356bfcd306dd5e8c
SHA10bb44941c8d41a9b147155bad83b1f6d6ad66cb3
SHA256aef9ae361ade71c8851fed088575171c043777b0223195f0ec4b607b22c510c4
SHA51285512dd9f8a58236a6287ccbf4c9341d368b42511308659b8907d163d107ee7e70850e76c655224d903a27a45bb1ddb88722d3cc7a940455fc311cdc2803d0c6
-
MD5
82df13489bfd4da5356bfcd306dd5e8c
SHA10bb44941c8d41a9b147155bad83b1f6d6ad66cb3
SHA256aef9ae361ade71c8851fed088575171c043777b0223195f0ec4b607b22c510c4
SHA51285512dd9f8a58236a6287ccbf4c9341d368b42511308659b8907d163d107ee7e70850e76c655224d903a27a45bb1ddb88722d3cc7a940455fc311cdc2803d0c6