Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:25
Static task
static1
Behavioral task
behavioral1
Sample
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe
Resource
win10v2004-en-20220113
General
-
Target
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe
-
Size
36KB
-
MD5
4d0b4d2202776de197ba86e39a84b518
-
SHA1
9d40329effacfa12d5c87b2f3c1116adb08d42f9
-
SHA256
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646
-
SHA512
44217ee231a1a98a747256dde4ebadeb7a53a41f8002dc1d6b71612a8cc740188edb44bdff1d470d9a10501d42abe69845d0c1ab34d0de0ed56e29f5b9296598
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4868 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1732 svchost.exe Token: SeCreatePagefilePrivilege 1732 svchost.exe Token: SeShutdownPrivilege 1732 svchost.exe Token: SeCreatePagefilePrivilege 1732 svchost.exe Token: SeShutdownPrivilege 1732 svchost.exe Token: SeCreatePagefilePrivilege 1732 svchost.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe Token: SeRestorePrivilege 444 TiWorker.exe Token: SeSecurityPrivilege 444 TiWorker.exe Token: SeBackupPrivilege 444 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.execmd.exedescription pid process target process PID 5016 wrote to memory of 4868 5016 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe MediaCenter.exe PID 5016 wrote to memory of 4868 5016 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe MediaCenter.exe PID 5016 wrote to memory of 4868 5016 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe MediaCenter.exe PID 5016 wrote to memory of 628 5016 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe cmd.exe PID 5016 wrote to memory of 628 5016 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe cmd.exe PID 5016 wrote to memory of 628 5016 17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe cmd.exe PID 628 wrote to memory of 2192 628 cmd.exe PING.EXE PID 628 wrote to memory of 2192 628 cmd.exe PING.EXE PID 628 wrote to memory of 2192 628 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe"C:\Users\Admin\AppData\Local\Temp\17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17b0bdd2b988129d51c9f70796cd88ebf54d6530040490b0440a0f5c61b6a646.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2192
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:444
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9c34bb4212a3c180ae896c5b62d8b49a
SHA14d8c67b6a6f762481041d4c948253009436fdb1e
SHA25611d85fa5b64e51c4c2611a1361f1fa28e11b6577fdec57f326bbac178ac431a5
SHA512f48b0f2d1b1e35cc0c20ce2e8736904c3892173f9c1e5b011849dd457f93f913d0de5d8f7dc5760aa7101de259e0ff6fb918e4d524ead4f24e5bbf9404c14789
-
MD5
9c34bb4212a3c180ae896c5b62d8b49a
SHA14d8c67b6a6f762481041d4c948253009436fdb1e
SHA25611d85fa5b64e51c4c2611a1361f1fa28e11b6577fdec57f326bbac178ac431a5
SHA512f48b0f2d1b1e35cc0c20ce2e8736904c3892173f9c1e5b011849dd457f93f913d0de5d8f7dc5760aa7101de259e0ff6fb918e4d524ead4f24e5bbf9404c14789