Analysis
-
max time kernel
136s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:57
Static task
static1
Behavioral task
behavioral1
Sample
18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe
Resource
win10v2004-en-20220113
General
-
Target
18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe
-
Size
35KB
-
MD5
76dc0c82b7195f4dcd20df2f69ec616c
-
SHA1
d6d5e8d7c26f79d491c7dad5e28a5c8db5d68f2d
-
SHA256
18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47
-
SHA512
613560202942b24dd6099e7dcbd9cad351606168a8d419a9f9e68e881661b5779ac06287c9e9e9e6c1f8729d9d3110ee6b0f9d69d134e180ebd3b3d02563541c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4664 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exedescription pid process Token: SeShutdownPrivilege 868 svchost.exe Token: SeCreatePagefilePrivilege 868 svchost.exe Token: SeShutdownPrivilege 868 svchost.exe Token: SeCreatePagefilePrivilege 868 svchost.exe Token: SeShutdownPrivilege 868 svchost.exe Token: SeCreatePagefilePrivilege 868 svchost.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeIncBasePriorityPrivilege 4908 18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe Token: SeBackupPrivilege 4168 TiWorker.exe Token: SeRestorePrivilege 4168 TiWorker.exe Token: SeSecurityPrivilege 4168 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.execmd.exedescription pid process target process PID 4908 wrote to memory of 4664 4908 18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe MediaCenter.exe PID 4908 wrote to memory of 4664 4908 18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe MediaCenter.exe PID 4908 wrote to memory of 4664 4908 18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe MediaCenter.exe PID 4908 wrote to memory of 536 4908 18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe cmd.exe PID 4908 wrote to memory of 536 4908 18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe cmd.exe PID 4908 wrote to memory of 536 4908 18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe cmd.exe PID 536 wrote to memory of 4940 536 cmd.exe PING.EXE PID 536 wrote to memory of 4940 536 cmd.exe PING.EXE PID 536 wrote to memory of 4940 536 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe"C:\Users\Admin\AppData\Local\Temp\18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18f69cafa80da7f5f9dc6da53abc2afc42135397944cd520f0488fb7d68d4c47.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:868
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c2b8d431c09e8e9d83d44caa5e27785a
SHA13ee6286d5c586e3e0a8ba0f57af3030ec152ac36
SHA25665d63bf35dc38cbcc3ded78bdc049648bea13fa8439a37c3574bb92840df4a53
SHA512697430a7055bd6cc42132339ea994c96cfd587bf0104bf5c942f03789972b7ece8a5b84a9ea2f20c27e20333a5d5313939e146bdc1d9345285602234d6dfec1b
-
MD5
c2b8d431c09e8e9d83d44caa5e27785a
SHA13ee6286d5c586e3e0a8ba0f57af3030ec152ac36
SHA25665d63bf35dc38cbcc3ded78bdc049648bea13fa8439a37c3574bb92840df4a53
SHA512697430a7055bd6cc42132339ea994c96cfd587bf0104bf5c942f03789972b7ece8a5b84a9ea2f20c27e20333a5d5313939e146bdc1d9345285602234d6dfec1b