Analysis
-
max time kernel
145s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:47
Static task
static1
Behavioral task
behavioral1
Sample
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe
Resource
win10v2004-en-20220113
General
-
Target
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe
-
Size
36KB
-
MD5
81a0c5ea1290721902d384cb762d6e89
-
SHA1
0afeb8bf3ed44cd45015fc712f196ea82a484d05
-
SHA256
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578
-
SHA512
0b6fa8b1a1f265b9b7bbb8f7f1054d4f131beec3b33fdafad2a029988f89fd3f6b5e0c0c47fbe962bcabf14d1f88326cac9ce0e6cc825f9cf735d61ab49d38f3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3472 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exedescription pid process Token: SeShutdownPrivilege 3232 svchost.exe Token: SeCreatePagefilePrivilege 3232 svchost.exe Token: SeShutdownPrivilege 3232 svchost.exe Token: SeCreatePagefilePrivilege 3232 svchost.exe Token: SeShutdownPrivilege 3232 svchost.exe Token: SeCreatePagefilePrivilege 3232 svchost.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeIncBasePriorityPrivilege 4120 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.execmd.exedescription pid process target process PID 4120 wrote to memory of 3472 4120 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe MediaCenter.exe PID 4120 wrote to memory of 3472 4120 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe MediaCenter.exe PID 4120 wrote to memory of 3472 4120 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe MediaCenter.exe PID 4120 wrote to memory of 3644 4120 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe cmd.exe PID 4120 wrote to memory of 3644 4120 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe cmd.exe PID 4120 wrote to memory of 3644 4120 16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe cmd.exe PID 3644 wrote to memory of 3092 3644 cmd.exe PING.EXE PID 3644 wrote to memory of 3092 3644 cmd.exe PING.EXE PID 3644 wrote to memory of 3092 3644 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe"C:\Users\Admin\AppData\Local\Temp\16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16c76bedb552d517b05e4fcb068e1c475a72ff0c06989442e2f08ee87b92f578.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4516
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a7c25e5f0b7f86b57dc054bce101c2f2
SHA1b314d4bd95169285dd6ca5d2407e1331ee3f83f8
SHA256a6da3f971f197c9f39c1c7a5c6c16bb1379a8622d0faba1ee48bceaee6ae5040
SHA5129e45af90155fbb39fb5bce348aede6b60070ca217ad6138dfbe96aa5f21ae6f45027fe9b78226368d18388b26b5a505cb99a070f44d7a98c825f50c20505a6a2
-
MD5
a7c25e5f0b7f86b57dc054bce101c2f2
SHA1b314d4bd95169285dd6ca5d2407e1331ee3f83f8
SHA256a6da3f971f197c9f39c1c7a5c6c16bb1379a8622d0faba1ee48bceaee6ae5040
SHA5129e45af90155fbb39fb5bce348aede6b60070ca217ad6138dfbe96aa5f21ae6f45027fe9b78226368d18388b26b5a505cb99a070f44d7a98c825f50c20505a6a2