Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:35
Static task
static1
Behavioral task
behavioral1
Sample
151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe
Resource
win10v2004-en-20220113
General
-
Target
151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe
-
Size
60KB
-
MD5
df36f278f026a5e5b13c870a4f110fd4
-
SHA1
78f352f7459625a867981dd87948b50b1b562cd4
-
SHA256
151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354
-
SHA512
64f11ac6774268d2abf2c611117919ace680b6db34a4591952ec91b755525cddf4782e7dbebcbc0ef34eb69e14f3095ea62553bdf4d21b15f54ba7f64b2db8d0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4624 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exedescription pid process Token: SeShutdownPrivilege 3620 svchost.exe Token: SeCreatePagefilePrivilege 3620 svchost.exe Token: SeShutdownPrivilege 3620 svchost.exe Token: SeCreatePagefilePrivilege 3620 svchost.exe Token: SeShutdownPrivilege 3620 svchost.exe Token: SeCreatePagefilePrivilege 3620 svchost.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeIncBasePriorityPrivilege 2328 151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe Token: SeBackupPrivilege 908 TiWorker.exe Token: SeRestorePrivilege 908 TiWorker.exe Token: SeSecurityPrivilege 908 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.execmd.exedescription pid process target process PID 2328 wrote to memory of 4624 2328 151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe MediaCenter.exe PID 2328 wrote to memory of 4624 2328 151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe MediaCenter.exe PID 2328 wrote to memory of 4624 2328 151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe MediaCenter.exe PID 2328 wrote to memory of 3492 2328 151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe cmd.exe PID 2328 wrote to memory of 3492 2328 151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe cmd.exe PID 2328 wrote to memory of 3492 2328 151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe cmd.exe PID 3492 wrote to memory of 4800 3492 cmd.exe PING.EXE PID 3492 wrote to memory of 4800 3492 cmd.exe PING.EXE PID 3492 wrote to memory of 4800 3492 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe"C:\Users\Admin\AppData\Local\Temp\151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\151fcbf2990824333e4c42b9e81d614641078044b38cd290735f81e153644354.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:908
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2bda3fad33eaf79f721a1531c3ef3e6d
SHA1de552c9875aea77de116991cf9e937362eba6e72
SHA2567e9a43e251e1764cceb825cc3d9a3b920be330b3261b82fb1297317452fbfac4
SHA51221c9684e811e1893d0f827e184c95a595130439321127b1c6d0c7e784cf7a22197d774c9073022b7253d1c2a2a3bb753c783b8efaaac8d4e0bdef5563aa6889f
-
MD5
2bda3fad33eaf79f721a1531c3ef3e6d
SHA1de552c9875aea77de116991cf9e937362eba6e72
SHA2567e9a43e251e1764cceb825cc3d9a3b920be330b3261b82fb1297317452fbfac4
SHA51221c9684e811e1893d0f827e184c95a595130439321127b1c6d0c7e784cf7a22197d774c9073022b7253d1c2a2a3bb753c783b8efaaac8d4e0bdef5563aa6889f