Analysis
-
max time kernel
131s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:56
Static task
static1
Behavioral task
behavioral1
Sample
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe
Resource
win10v2004-en-20220113
General
-
Target
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe
-
Size
58KB
-
MD5
7f4ae3be759d7059e79cf6252d1ba703
-
SHA1
0b5274cb03dc0bc6342c7ee47345652f04625565
-
SHA256
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152
-
SHA512
0cf56f2651ecb93af1119efeb6219308f746870b8a0be203fadfefc3f73a55ea5d11442888eb298c86e65d1ffb0987535118754a5c2433e6aac23c0ff260932d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 5008 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exedescription pid process Token: SeShutdownPrivilege 4248 svchost.exe Token: SeCreatePagefilePrivilege 4248 svchost.exe Token: SeShutdownPrivilege 4248 svchost.exe Token: SeCreatePagefilePrivilege 4248 svchost.exe Token: SeShutdownPrivilege 4248 svchost.exe Token: SeCreatePagefilePrivilege 4248 svchost.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeIncBasePriorityPrivilege 2504 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.execmd.exedescription pid process target process PID 2504 wrote to memory of 5008 2504 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe MediaCenter.exe PID 2504 wrote to memory of 5008 2504 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe MediaCenter.exe PID 2504 wrote to memory of 5008 2504 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe MediaCenter.exe PID 2504 wrote to memory of 4956 2504 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe cmd.exe PID 2504 wrote to memory of 4956 2504 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe cmd.exe PID 2504 wrote to memory of 4956 2504 18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe cmd.exe PID 4956 wrote to memory of 4832 4956 cmd.exe PING.EXE PID 4956 wrote to memory of 4832 4956 cmd.exe PING.EXE PID 4956 wrote to memory of 4832 4956 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe"C:\Users\Admin\AppData\Local\Temp\18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18f889138a6159af9f83e8754bf8d4da67b0b00c68b3933450bd2361bc0f6152.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
695f2889407c9bfb753dc47705813aa8
SHA1d06fcaef8a7c8d6c151b9bf7614b8f0f3fb2fb22
SHA256ef9f0e1814f1ddd189900c0a8cf81861c1db72d95b801dd3ecb36644c24171e9
SHA51234a21ce226c43bdfe9b09220d47dfe2a80ef6d48830715930114fb214d0fc609c9a1f82500a2bd21106fb5ccdd09961dc67e840a13253b1dd2527ad1f632b296
-
MD5
695f2889407c9bfb753dc47705813aa8
SHA1d06fcaef8a7c8d6c151b9bf7614b8f0f3fb2fb22
SHA256ef9f0e1814f1ddd189900c0a8cf81861c1db72d95b801dd3ecb36644c24171e9
SHA51234a21ce226c43bdfe9b09220d47dfe2a80ef6d48830715930114fb214d0fc609c9a1f82500a2bd21106fb5ccdd09961dc67e840a13253b1dd2527ad1f632b296