Analysis
-
max time kernel
132s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:16
Static task
static1
Behavioral task
behavioral1
Sample
182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exe
Resource
win10v2004-en-20220113
General
-
Target
182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exe
-
Size
60KB
-
MD5
17ed84fec9fa81d71f45307a70735d40
-
SHA1
da31c582c77db9476edbd6923bd85d570d8398c6
-
SHA256
182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c
-
SHA512
11d05045a76cb43829e0bc31b7f83debd9afb7ae23d874b89198ebd73aa121a063bb7a4450e0bfea04622cc494b9a2504ea6eb293521fed61904e205b0cac7d6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1888 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4520 svchost.exe Token: SeCreatePagefilePrivilege 4520 svchost.exe Token: SeShutdownPrivilege 4520 svchost.exe Token: SeCreatePagefilePrivilege 4520 svchost.exe Token: SeShutdownPrivilege 4520 svchost.exe Token: SeCreatePagefilePrivilege 4520 svchost.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe Token: SeRestorePrivilege 3776 TiWorker.exe Token: SeSecurityPrivilege 3776 TiWorker.exe Token: SeBackupPrivilege 3776 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.execmd.exedescription pid process target process PID 816 wrote to memory of 1888 816 182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exe MediaCenter.exe PID 816 wrote to memory of 1888 816 182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exe MediaCenter.exe PID 816 wrote to memory of 1888 816 182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exe MediaCenter.exe PID 816 wrote to memory of 2836 816 182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exe cmd.exe PID 816 wrote to memory of 2836 816 182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exe cmd.exe PID 816 wrote to memory of 2836 816 182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exe cmd.exe PID 2836 wrote to memory of 1208 2836 cmd.exe PING.EXE PID 2836 wrote to memory of 1208 2836 cmd.exe PING.EXE PID 2836 wrote to memory of 1208 2836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exe"C:\Users\Admin\AppData\Local\Temp\182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\182c5d104737873675a686bc298b03d3728a30c4b94cca6c395b57619396be9c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fb349b9377fe527239bf947bf293dc69
SHA1d59919f78f06093848e0ec6ce799e5d9242f8205
SHA256135d22ecd24a5e55d4e0229307ee7495622e15d1e0c4b2d34498a42926a3e146
SHA512358386075688a7e386db8a88081af04112ab1548f949531bef15d2c1d73259cdba59ddd68bbe1f6f61c71e4799fa80b0f78922ff123fb165e115c84a79aafbb4
-
MD5
fb349b9377fe527239bf947bf293dc69
SHA1d59919f78f06093848e0ec6ce799e5d9242f8205
SHA256135d22ecd24a5e55d4e0229307ee7495622e15d1e0c4b2d34498a42926a3e146
SHA512358386075688a7e386db8a88081af04112ab1548f949531bef15d2c1d73259cdba59ddd68bbe1f6f61c71e4799fa80b0f78922ff123fb165e115c84a79aafbb4