Analysis
-
max time kernel
150s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:55
Static task
static1
Behavioral task
behavioral1
Sample
1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe
Resource
win10v2004-en-20220113
General
-
Target
1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe
-
Size
36KB
-
MD5
c7677230844affd49a3e0353743879fd
-
SHA1
349e7ea4ac43681da51bed8812c08453ae71ac39
-
SHA256
1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930
-
SHA512
0f9076f2baead64c2545b335d11a952a9ab92bb9427f7e5335bc3c2aa62bc345e30cc334b8d044e9cf3d2bc3a0933e72f36ab73a2208aba8471ae58ee9abc51d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2340 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exedescription pid process Token: SeShutdownPrivilege 2136 svchost.exe Token: SeCreatePagefilePrivilege 2136 svchost.exe Token: SeShutdownPrivilege 2136 svchost.exe Token: SeCreatePagefilePrivilege 2136 svchost.exe Token: SeShutdownPrivilege 2136 svchost.exe Token: SeCreatePagefilePrivilege 2136 svchost.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeIncBasePriorityPrivilege 4064 1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe Token: SeBackupPrivilege 4220 TiWorker.exe Token: SeRestorePrivilege 4220 TiWorker.exe Token: SeSecurityPrivilege 4220 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.execmd.exedescription pid process target process PID 4064 wrote to memory of 2340 4064 1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe MediaCenter.exe PID 4064 wrote to memory of 2340 4064 1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe MediaCenter.exe PID 4064 wrote to memory of 2340 4064 1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe MediaCenter.exe PID 4064 wrote to memory of 4440 4064 1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe cmd.exe PID 4064 wrote to memory of 4440 4064 1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe cmd.exe PID 4064 wrote to memory of 4440 4064 1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe cmd.exe PID 4440 wrote to memory of 4540 4440 cmd.exe PING.EXE PID 4440 wrote to memory of 4540 4440 cmd.exe PING.EXE PID 4440 wrote to memory of 4540 4440 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe"C:\Users\Admin\AppData\Local\Temp\1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1678d418c66e87bdd81ae93fe39f3c3b513d85b0cc69655b2e7c0904b8589930.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4220
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bc5e4cea0b7ca8c8fb059e3772f65a70
SHA10d0ca9d3bd12a5b05fbb9db44cfb9052f235874e
SHA2560a639ed8e9440f3ad53205dbf9e42697c730ace5fa6966866c784d3042dee603
SHA5122a29a605df93709fbb1a92f821e8dbe702ea68d050db962e868f18d45dcca2e381603770cf483c9d8bd1df74748797ab03c9f0e31b60b8c910583ef65aa6ef5f
-
MD5
bc5e4cea0b7ca8c8fb059e3772f65a70
SHA10d0ca9d3bd12a5b05fbb9db44cfb9052f235874e
SHA2560a639ed8e9440f3ad53205dbf9e42697c730ace5fa6966866c784d3042dee603
SHA5122a29a605df93709fbb1a92f821e8dbe702ea68d050db962e868f18d45dcca2e381603770cf483c9d8bd1df74748797ab03c9f0e31b60b8c910583ef65aa6ef5f