Analysis
-
max time kernel
139s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:37
Static task
static1
Behavioral task
behavioral1
Sample
1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe
Resource
win10v2004-en-20220113
General
-
Target
1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe
-
Size
35KB
-
MD5
b6b5633335af3a55cfdd58949c383924
-
SHA1
278a83f14351c9d163de8514a357b6a279ce2f29
-
SHA256
1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00
-
SHA512
903483e382662b89b7f1c610f545d3dcf7b4e8865562db20ad4a34cb2231cac42e312ec5a6ce57d8d010bae76cd3b2f99882eb183a2a5f11bd86db56625537c2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3180 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exedescription pid process Token: SeShutdownPrivilege 2812 svchost.exe Token: SeCreatePagefilePrivilege 2812 svchost.exe Token: SeShutdownPrivilege 2812 svchost.exe Token: SeCreatePagefilePrivilege 2812 svchost.exe Token: SeShutdownPrivilege 2812 svchost.exe Token: SeCreatePagefilePrivilege 2812 svchost.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeIncBasePriorityPrivilege 3760 1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe Token: SeBackupPrivilege 4304 TiWorker.exe Token: SeRestorePrivilege 4304 TiWorker.exe Token: SeSecurityPrivilege 4304 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.execmd.exedescription pid process target process PID 3760 wrote to memory of 3180 3760 1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe MediaCenter.exe PID 3760 wrote to memory of 3180 3760 1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe MediaCenter.exe PID 3760 wrote to memory of 3180 3760 1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe MediaCenter.exe PID 3760 wrote to memory of 4928 3760 1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe cmd.exe PID 3760 wrote to memory of 4928 3760 1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe cmd.exe PID 3760 wrote to memory of 4928 3760 1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe cmd.exe PID 4928 wrote to memory of 2128 4928 cmd.exe PING.EXE PID 4928 wrote to memory of 2128 4928 cmd.exe PING.EXE PID 4928 wrote to memory of 2128 4928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe"C:\Users\Admin\AppData\Local\Temp\1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1500756d49f5b1dc043e13f413dd5ea0e16d0ca337ceb08339b5050bed1e2c00.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4304
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2a64d3519bac465eb3517fc652784ef6
SHA17f9c5b8c6b6b22841f5d7957cb5ea68e25f4335b
SHA256eee43a5dff9356d376029ff4fb9814dc778ff5b3ad937f066b8bf1f8d5b4b802
SHA512fc03fdab6481a69d79ea6e2985a1d7dff22aaee5a4408c38c3eabfbb0fa646bfec049a5c70d39f960cc8c98fcb2058be067686a4e9bc690cc9c280b4ba8fa34f
-
MD5
2a64d3519bac465eb3517fc652784ef6
SHA17f9c5b8c6b6b22841f5d7957cb5ea68e25f4335b
SHA256eee43a5dff9356d376029ff4fb9814dc778ff5b3ad937f066b8bf1f8d5b4b802
SHA512fc03fdab6481a69d79ea6e2985a1d7dff22aaee5a4408c38c3eabfbb0fa646bfec049a5c70d39f960cc8c98fcb2058be067686a4e9bc690cc9c280b4ba8fa34f