Analysis
-
max time kernel
155s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:27
Static task
static1
Behavioral task
behavioral1
Sample
153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exe
Resource
win10v2004-en-20220113
General
-
Target
153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exe
-
Size
60KB
-
MD5
464ec1f8071f52054c0ba2182ea6b53d
-
SHA1
aa48f5ecf71d8aecbfe77301c1353433c6ec1bce
-
SHA256
153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b
-
SHA512
0893ada6fee61f0aebbf5806b6f4b4fd7fb81e09fe3ec52bb75764548601ed1c7937dc41994d67be9847b131ee154ebc96c636057f3eeeda3f0907516bf5424b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4032 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1180 svchost.exe Token: SeCreatePagefilePrivilege 1180 svchost.exe Token: SeShutdownPrivilege 1180 svchost.exe Token: SeCreatePagefilePrivilege 1180 svchost.exe Token: SeShutdownPrivilege 1180 svchost.exe Token: SeCreatePagefilePrivilege 1180 svchost.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.execmd.exedescription pid process target process PID 1348 wrote to memory of 4032 1348 153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exe MediaCenter.exe PID 1348 wrote to memory of 4032 1348 153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exe MediaCenter.exe PID 1348 wrote to memory of 4032 1348 153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exe MediaCenter.exe PID 1348 wrote to memory of 4520 1348 153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exe cmd.exe PID 1348 wrote to memory of 4520 1348 153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exe cmd.exe PID 1348 wrote to memory of 4520 1348 153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exe cmd.exe PID 4520 wrote to memory of 4568 4520 cmd.exe PING.EXE PID 4520 wrote to memory of 4568 4520 cmd.exe PING.EXE PID 4520 wrote to memory of 4568 4520 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exe"C:\Users\Admin\AppData\Local\Temp\153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\153d29e2012232af3acdeccd86e66d72f5cdf08627861d13eda4a96e0860f88b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ba6f1957f1681c43941efec94bf964fe
SHA14d837d5d8ab3e81689944a28332c38cd3763f6b3
SHA256db7f04a86dcce56b0aa93c87f219e91a4f63ab7c279d78709b27a3db57488609
SHA51280161fd9141ce890a5a59f622edbe1e568992f64f23356d629a2f6ce0e3e79331f75af7b0557aadb721f63222baaa0f148180c1fc4dffc1a8732daf8f7639736
-
MD5
ba6f1957f1681c43941efec94bf964fe
SHA14d837d5d8ab3e81689944a28332c38cd3763f6b3
SHA256db7f04a86dcce56b0aa93c87f219e91a4f63ab7c279d78709b27a3db57488609
SHA51280161fd9141ce890a5a59f622edbe1e568992f64f23356d629a2f6ce0e3e79331f75af7b0557aadb721f63222baaa0f148180c1fc4dffc1a8732daf8f7639736