Analysis
-
max time kernel
143s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:19
Static task
static1
Behavioral task
behavioral1
Sample
17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe
Resource
win10v2004-en-20220113
General
-
Target
17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe
-
Size
35KB
-
MD5
2079e6d43e8c8196de30931891230d2e
-
SHA1
b27f6fed23701d4d06e49839602a1e962561ac2c
-
SHA256
17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43
-
SHA512
b0e0b72456eea4f2c2e58c82bd1e8a490a91edd506b8643a889644e668d0599695e81c10babf4efaadf4a1a28d54ad34d2b1c5fbcb32dd9b9f4fcc17c2577075
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 408 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4936 svchost.exe Token: SeCreatePagefilePrivilege 4936 svchost.exe Token: SeShutdownPrivilege 4936 svchost.exe Token: SeCreatePagefilePrivilege 4936 svchost.exe Token: SeShutdownPrivilege 4936 svchost.exe Token: SeCreatePagefilePrivilege 4936 svchost.exe Token: SeIncBasePriorityPrivilege 1292 17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.execmd.exedescription pid process target process PID 1292 wrote to memory of 408 1292 17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe MediaCenter.exe PID 1292 wrote to memory of 408 1292 17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe MediaCenter.exe PID 1292 wrote to memory of 408 1292 17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe MediaCenter.exe PID 1292 wrote to memory of 1588 1292 17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe cmd.exe PID 1292 wrote to memory of 1588 1292 17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe cmd.exe PID 1292 wrote to memory of 1588 1292 17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe cmd.exe PID 1588 wrote to memory of 3484 1588 cmd.exe PING.EXE PID 1588 wrote to memory of 3484 1588 cmd.exe PING.EXE PID 1588 wrote to memory of 3484 1588 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe"C:\Users\Admin\AppData\Local\Temp\17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17f685852cc584d950834ce09b56cac5293856f19ddf55ae958a383b9588df43.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e525a12a03d7febf2a635c8ba0dea1d8
SHA1fefc9b3fbc304fcea2eace8a12a06a8d9cb162a5
SHA256f167f3386917505081097613ce6d241335cafac185cf9a1c7f9b0763a3c309ec
SHA512078560ac3728fab21c33e336c970715b4ade4f499eca33609d9b1d508b529d44e156f90b67b06406d2ac610da8180117723168e3959445d6c46c47de1f8ae015
-
MD5
e525a12a03d7febf2a635c8ba0dea1d8
SHA1fefc9b3fbc304fcea2eace8a12a06a8d9cb162a5
SHA256f167f3386917505081097613ce6d241335cafac185cf9a1c7f9b0763a3c309ec
SHA512078560ac3728fab21c33e336c970715b4ade4f499eca33609d9b1d508b529d44e156f90b67b06406d2ac610da8180117723168e3959445d6c46c47de1f8ae015