Analysis
-
max time kernel
135s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:33
Static task
static1
Behavioral task
behavioral1
Sample
152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exe
Resource
win10v2004-en-20220113
General
-
Target
152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exe
-
Size
58KB
-
MD5
3ce68914da6db98a48c5dc00ed009a73
-
SHA1
e49b395175cf4b26b29e187a2e85009c4836d690
-
SHA256
152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88
-
SHA512
a16c8c4b8a2573b14c6f4093928d4054bc884b75c0e3d3d3c5256bcf756dfe042a349d6cf548d6bd69fb56bd12ab891cd6500f0d6c32d393e03d06140abd96fb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2192 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1308 svchost.exe Token: SeCreatePagefilePrivilege 1308 svchost.exe Token: SeShutdownPrivilege 1308 svchost.exe Token: SeCreatePagefilePrivilege 1308 svchost.exe Token: SeShutdownPrivilege 1308 svchost.exe Token: SeCreatePagefilePrivilege 1308 svchost.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.execmd.exedescription pid process target process PID 2028 wrote to memory of 2192 2028 152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exe MediaCenter.exe PID 2028 wrote to memory of 2192 2028 152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exe MediaCenter.exe PID 2028 wrote to memory of 2192 2028 152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exe MediaCenter.exe PID 2028 wrote to memory of 1192 2028 152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exe cmd.exe PID 2028 wrote to memory of 1192 2028 152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exe cmd.exe PID 2028 wrote to memory of 1192 2028 152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exe cmd.exe PID 1192 wrote to memory of 1796 1192 cmd.exe PING.EXE PID 1192 wrote to memory of 1796 1192 cmd.exe PING.EXE PID 1192 wrote to memory of 1796 1192 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exe"C:\Users\Admin\AppData\Local\Temp\152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\152e1f21214581c28ee93702f644bd7254dcf7b5d933592a720d07654e010e88.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d70c989a7b0364b4cb3bb20cf675a1eb
SHA1b30c90a2c0f1f47ac99860e7596f5eb7e81f83ff
SHA256f072095c9445a4465271eecda1b8e57eaed43ef9fe00b237ba929b368d9b807d
SHA51239d842e87db4b800514c18f95a081c9dc38fa8004b593ce1131682495607c6995b87693c6fc94fd8b3e62b187fc6cb35d220959e823e077619ac859b1803cd8a
-
MD5
d70c989a7b0364b4cb3bb20cf675a1eb
SHA1b30c90a2c0f1f47ac99860e7596f5eb7e81f83ff
SHA256f072095c9445a4465271eecda1b8e57eaed43ef9fe00b237ba929b368d9b807d
SHA51239d842e87db4b800514c18f95a081c9dc38fa8004b593ce1131682495607c6995b87693c6fc94fd8b3e62b187fc6cb35d220959e823e077619ac859b1803cd8a