Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:12
Static task
static1
Behavioral task
behavioral1
Sample
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe
Resource
win10v2004-en-20220113
General
-
Target
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe
-
Size
60KB
-
MD5
48e8723f537bcc52cd6a3e6a122551b2
-
SHA1
19da584170b3b811785cf75455e7fddfc10bb0ef
-
SHA256
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e
-
SHA512
62821e1698cd77741ab379686d6eb50b5663adeed5583869d078242e577d3e58217cb5d9fa28972e8550efda56332bd2b0b98901d0a5696a5cb3ae2fb1e42653
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1704 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4200 svchost.exe Token: SeCreatePagefilePrivilege 4200 svchost.exe Token: SeShutdownPrivilege 4200 svchost.exe Token: SeCreatePagefilePrivilege 4200 svchost.exe Token: SeShutdownPrivilege 4200 svchost.exe Token: SeCreatePagefilePrivilege 4200 svchost.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe Token: SeRestorePrivilege 3384 TiWorker.exe Token: SeSecurityPrivilege 3384 TiWorker.exe Token: SeBackupPrivilege 3384 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.execmd.exedescription pid process target process PID 4892 wrote to memory of 1704 4892 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe MediaCenter.exe PID 4892 wrote to memory of 1704 4892 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe MediaCenter.exe PID 4892 wrote to memory of 1704 4892 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe MediaCenter.exe PID 4892 wrote to memory of 4216 4892 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe cmd.exe PID 4892 wrote to memory of 4216 4892 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe cmd.exe PID 4892 wrote to memory of 4216 4892 185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe cmd.exe PID 4216 wrote to memory of 392 4216 cmd.exe PING.EXE PID 4216 wrote to memory of 392 4216 cmd.exe PING.EXE PID 4216 wrote to memory of 392 4216 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe"C:\Users\Admin\AppData\Local\Temp\185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\185c4ca5b5d7a2f8c46c5edc0be69ea7162215011f9f45575c011098afcbfd9e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9b6d47aac2a57759bf446ccebdf898a8
SHA121b1a3eabbc95babbee7cc895fc9954c47b4b92f
SHA256a2a9a1cb2e7edea1ace026808740c2a12c0ac6eb52631db5cd0277546f77d708
SHA5128239e9a86f9622e78d9e31cceaf646af93010e8bddaf2e239eae1d10d687bc7e6a54762b4d58fda297f8d6b5502cec40feea05601fcd4df3f7ba35b576eec7ce
-
MD5
9b6d47aac2a57759bf446ccebdf898a8
SHA121b1a3eabbc95babbee7cc895fc9954c47b4b92f
SHA256a2a9a1cb2e7edea1ace026808740c2a12c0ac6eb52631db5cd0277546f77d708
SHA5128239e9a86f9622e78d9e31cceaf646af93010e8bddaf2e239eae1d10d687bc7e6a54762b4d58fda297f8d6b5502cec40feea05601fcd4df3f7ba35b576eec7ce