Analysis
-
max time kernel
154s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:00
Static task
static1
Behavioral task
behavioral1
Sample
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe
Resource
win10v2004-en-20220113
General
-
Target
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe
-
Size
58KB
-
MD5
d5f847c413c5e12be6f37fabb2cd4f24
-
SHA1
39ac3babb1e4e7575644f4b89b2bb8f83b42995d
-
SHA256
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5
-
SHA512
a2d8463f49bd3d94c9b9de1b6ec2f5d4a2e58f7db50c4e3051222e5b08b2786be4c8a0a8b2644bcbd5730a4d161a45cd6890b45b16ccec7e736cc1442229420e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1964 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1444 svchost.exe Token: SeCreatePagefilePrivilege 1444 svchost.exe Token: SeShutdownPrivilege 1444 svchost.exe Token: SeCreatePagefilePrivilege 1444 svchost.exe Token: SeShutdownPrivilege 1444 svchost.exe Token: SeCreatePagefilePrivilege 1444 svchost.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.execmd.exedescription pid process target process PID 4468 wrote to memory of 1964 4468 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe MediaCenter.exe PID 4468 wrote to memory of 1964 4468 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe MediaCenter.exe PID 4468 wrote to memory of 1964 4468 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe MediaCenter.exe PID 4468 wrote to memory of 1004 4468 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe cmd.exe PID 4468 wrote to memory of 1004 4468 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe cmd.exe PID 4468 wrote to memory of 1004 4468 18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe cmd.exe PID 1004 wrote to memory of 1184 1004 cmd.exe PING.EXE PID 1004 wrote to memory of 1184 1004 cmd.exe PING.EXE PID 1004 wrote to memory of 1184 1004 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe"C:\Users\Admin\AppData\Local\Temp\18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18d740eb030528093a815277b6c306bb64aea7b14a5f950e7f1731f3ad7c46c5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
61f2de9275733f068b573725f7abb545
SHA1aa9b6959d20921399997bf2fd69e742017a2286b
SHA2568531e8397ec8f4e107db27283d496c48d29bade8114bf23bb7c9a1ab1c22ee3f
SHA512e4520f4c5ce27d04b604b06590ed16fea6ef7b1adb28505d0f1c1a4ba6a344b7f2163fd80bb673f1339f8a8067770127fcf6d1da27fa17224768ef84a177e533
-
MD5
61f2de9275733f068b573725f7abb545
SHA1aa9b6959d20921399997bf2fd69e742017a2286b
SHA2568531e8397ec8f4e107db27283d496c48d29bade8114bf23bb7c9a1ab1c22ee3f
SHA512e4520f4c5ce27d04b604b06590ed16fea6ef7b1adb28505d0f1c1a4ba6a344b7f2163fd80bb673f1339f8a8067770127fcf6d1da27fa17224768ef84a177e533