Analysis
-
max time kernel
153s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:51
Static task
static1
Behavioral task
behavioral1
Sample
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe
Resource
win10v2004-en-20220113
General
-
Target
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe
-
Size
36KB
-
MD5
23119c66a8630a47b3056d58de65af9e
-
SHA1
86ba539a5ebe214e4599075209960bd6414145c6
-
SHA256
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4
-
SHA512
72732e8a9344081e9e27f45145535d67a3a5abefe7ac3dfa156f1cf07cf33a00ebbcf5afed32398aeaddcbc34aba04e9deaac9b71a7facbed60a32e8f5a1eb57
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3716 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4364 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe Token: SeShutdownPrivilege 3356 svchost.exe Token: SeCreatePagefilePrivilege 3356 svchost.exe Token: SeShutdownPrivilege 3356 svchost.exe Token: SeCreatePagefilePrivilege 3356 svchost.exe Token: SeShutdownPrivilege 3356 svchost.exe Token: SeCreatePagefilePrivilege 3356 svchost.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.execmd.exedescription pid process target process PID 4364 wrote to memory of 3716 4364 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe MediaCenter.exe PID 4364 wrote to memory of 3716 4364 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe MediaCenter.exe PID 4364 wrote to memory of 3716 4364 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe MediaCenter.exe PID 4364 wrote to memory of 1688 4364 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe cmd.exe PID 4364 wrote to memory of 1688 4364 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe cmd.exe PID 4364 wrote to memory of 1688 4364 16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe cmd.exe PID 1688 wrote to memory of 4524 1688 cmd.exe PING.EXE PID 1688 wrote to memory of 4524 1688 cmd.exe PING.EXE PID 1688 wrote to memory of 4524 1688 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe"C:\Users\Admin\AppData\Local\Temp\16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16a99046ad0b2e9eb36dca995b54effbb45c1d7d67b1e8d54a021d9393164bf4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4649581e167dddd7b905cb01307accfa
SHA19b85294a7697ddc1f7e2e727ea6fb678814b5334
SHA25624bd7bff2b6eb09b839a6a2c06a13d7815cf49b845e89851e99661fe901907ec
SHA5127277a401fa50938242dd77194b739088bf9a0acf82b5a76ee641e9c5456937b4ede429a525bd61d3ab5883258df7f55d5a7b7d6b7411aca041b407bbce40c6dd
-
MD5
4649581e167dddd7b905cb01307accfa
SHA19b85294a7697ddc1f7e2e727ea6fb678814b5334
SHA25624bd7bff2b6eb09b839a6a2c06a13d7815cf49b845e89851e99661fe901907ec
SHA5127277a401fa50938242dd77194b739088bf9a0acf82b5a76ee641e9c5456937b4ede429a525bd61d3ab5883258df7f55d5a7b7d6b7411aca041b407bbce40c6dd