Analysis
-
max time kernel
158s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:06
Static task
static1
Behavioral task
behavioral1
Sample
18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exe
Resource
win10v2004-en-20220113
General
-
Target
18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exe
-
Size
60KB
-
MD5
c618ebe5d7700c3c9fdd0e253764d681
-
SHA1
1deaf1cca921a9bd111338f36e0dbb9dfd8c6d72
-
SHA256
18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae
-
SHA512
c363e9b3c789d233b2304d36ecccc04be2d07c58e36ecec75826767c07bf607edc635cc78e8c2476db9d8dc14c867e39b2950a7d3eb4d9567121689292cb79cf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3288 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2920 svchost.exe Token: SeCreatePagefilePrivilege 2920 svchost.exe Token: SeShutdownPrivilege 2920 svchost.exe Token: SeCreatePagefilePrivilege 2920 svchost.exe Token: SeShutdownPrivilege 2920 svchost.exe Token: SeCreatePagefilePrivilege 2920 svchost.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.execmd.exedescription pid process target process PID 5028 wrote to memory of 3288 5028 18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exe MediaCenter.exe PID 5028 wrote to memory of 3288 5028 18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exe MediaCenter.exe PID 5028 wrote to memory of 3288 5028 18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exe MediaCenter.exe PID 5028 wrote to memory of 2868 5028 18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exe cmd.exe PID 5028 wrote to memory of 2868 5028 18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exe cmd.exe PID 5028 wrote to memory of 2868 5028 18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exe cmd.exe PID 2868 wrote to memory of 4484 2868 cmd.exe PING.EXE PID 2868 wrote to memory of 4484 2868 cmd.exe PING.EXE PID 2868 wrote to memory of 4484 2868 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exe"C:\Users\Admin\AppData\Local\Temp\18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18930e73b60e643fca11e6cd1eda83518b007ab1fbcf499789f59d9a62fa57ae.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2372
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7af77e447a130bfe3f9c34fc1ff44357
SHA1641a4779a406739b3c6d2c6eef7d45375a676e52
SHA2562d91c7fe445754c3416c833ae25ed650157317393ac954f39b27b42183e89338
SHA512ec451b2abc30272653e6776705927ec017aa4988ad78caca43d771a8d23b4753cfe03df860ab6aaa5a0ee9283b20d8416cc5ca9e04dad27a778586f2bd76491b
-
MD5
7af77e447a130bfe3f9c34fc1ff44357
SHA1641a4779a406739b3c6d2c6eef7d45375a676e52
SHA2562d91c7fe445754c3416c833ae25ed650157317393ac954f39b27b42183e89338
SHA512ec451b2abc30272653e6776705927ec017aa4988ad78caca43d771a8d23b4753cfe03df860ab6aaa5a0ee9283b20d8416cc5ca9e04dad27a778586f2bd76491b