Analysis
-
max time kernel
163s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:20
Static task
static1
Behavioral task
behavioral1
Sample
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe
Resource
win10v2004-en-20220113
General
-
Target
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe
-
Size
60KB
-
MD5
9d8c0111a81c0f9ec945597467d7167f
-
SHA1
aad4d5baab10ebb2ac71e7857849456d22aa452a
-
SHA256
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34
-
SHA512
662402ff021d1d36504a3c392d9aca76f4a0fc199c8df3b6d5e7d46637689211d241b70a67ade624961a9c8067df786e206c67aa40323d501f17baf3d172f2bd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 5052 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1144 svchost.exe Token: SeCreatePagefilePrivilege 1144 svchost.exe Token: SeShutdownPrivilege 1144 svchost.exe Token: SeCreatePagefilePrivilege 1144 svchost.exe Token: SeShutdownPrivilege 1144 svchost.exe Token: SeCreatePagefilePrivilege 1144 svchost.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe Token: SeRestorePrivilege 4700 TiWorker.exe Token: SeSecurityPrivilege 4700 TiWorker.exe Token: SeBackupPrivilege 4700 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.execmd.exedescription pid process target process PID 3484 wrote to memory of 5052 3484 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe MediaCenter.exe PID 3484 wrote to memory of 5052 3484 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe MediaCenter.exe PID 3484 wrote to memory of 5052 3484 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe MediaCenter.exe PID 3484 wrote to memory of 3284 3484 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe cmd.exe PID 3484 wrote to memory of 3284 3484 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe cmd.exe PID 3484 wrote to memory of 3284 3484 17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe cmd.exe PID 3284 wrote to memory of 5080 3284 cmd.exe PING.EXE PID 3284 wrote to memory of 5080 3284 cmd.exe PING.EXE PID 3284 wrote to memory of 5080 3284 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe"C:\Users\Admin\AppData\Local\Temp\17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17dbb1b565504eaba879d10ab35b5478e35c4293158115ae0dca2339608d5a34.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
00efa91973294eef9a90d6ef0b62dcdc
SHA15b76d7fea893c555ef0d1d23b3305bf26bb965bd
SHA2567646514129a44277e97a3a1528d39f021360c6c202046b116e82dbfef02623d5
SHA512cebb7e1baaeaf852da6b4bfa5f1477f3eb91fec2e3693ed4a2aec2af67d54ec34d4ea429926245dbf1b01847efe0061d3767aa359cf13ba6056ed3a5aa4c374e
-
MD5
00efa91973294eef9a90d6ef0b62dcdc
SHA15b76d7fea893c555ef0d1d23b3305bf26bb965bd
SHA2567646514129a44277e97a3a1528d39f021360c6c202046b116e82dbfef02623d5
SHA512cebb7e1baaeaf852da6b4bfa5f1477f3eb91fec2e3693ed4a2aec2af67d54ec34d4ea429926245dbf1b01847efe0061d3767aa359cf13ba6056ed3a5aa4c374e