Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:26
Static task
static1
Behavioral task
behavioral1
Sample
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe
Resource
win10v2004-en-20220113
General
-
Target
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe
-
Size
35KB
-
MD5
4889443e1899077b93dc8af4a117580e
-
SHA1
63f2bdd9f5a7d0f51a12a11b171a41bfdae2599c
-
SHA256
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713
-
SHA512
23e3ccacf6820f514021eeb2582ff2603d06adeee4a32a14780b985a5c229a7f0157b6a146499e579266d3180ae4d6d2b3caa4ba67230535722a29b203ee4d2a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4532 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3392 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe Token: SeShutdownPrivilege 628 svchost.exe Token: SeCreatePagefilePrivilege 628 svchost.exe Token: SeShutdownPrivilege 628 svchost.exe Token: SeCreatePagefilePrivilege 628 svchost.exe Token: SeShutdownPrivilege 628 svchost.exe Token: SeCreatePagefilePrivilege 628 svchost.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.execmd.exedescription pid process target process PID 3392 wrote to memory of 4532 3392 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe MediaCenter.exe PID 3392 wrote to memory of 4532 3392 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe MediaCenter.exe PID 3392 wrote to memory of 4532 3392 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe MediaCenter.exe PID 3392 wrote to memory of 3448 3392 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe cmd.exe PID 3392 wrote to memory of 3448 3392 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe cmd.exe PID 3392 wrote to memory of 3448 3392 179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe cmd.exe PID 3448 wrote to memory of 4460 3448 cmd.exe PING.EXE PID 3448 wrote to memory of 4460 3448 cmd.exe PING.EXE PID 3448 wrote to memory of 4460 3448 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe"C:\Users\Admin\AppData\Local\Temp\179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\179ded5b9770bda8925eb98ed58c25f672cdfe2b435227fe1e646cd5827f5713.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:628
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
19a5156eb7f888a1279d8d890ebb4241
SHA1ce8cc01453c46aaec6b98c5e033a7d5fbda500a7
SHA256df745bdb1f84cae095ee5529ed119a1d24d9e466e268ffaba420694212662f11
SHA5120acfd88043e7a527111b68055f3db603855cea74dbc3c88a1c84f87d272adab0915f2455d9271e0d76b1f98428e49d8db75c12a87fd720e8d28f9ba7441646f4
-
MD5
19a5156eb7f888a1279d8d890ebb4241
SHA1ce8cc01453c46aaec6b98c5e033a7d5fbda500a7
SHA256df745bdb1f84cae095ee5529ed119a1d24d9e466e268ffaba420694212662f11
SHA5120acfd88043e7a527111b68055f3db603855cea74dbc3c88a1c84f87d272adab0915f2455d9271e0d76b1f98428e49d8db75c12a87fd720e8d28f9ba7441646f4