Analysis
-
max time kernel
133s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:05
Static task
static1
Behavioral task
behavioral1
Sample
1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe
Resource
win10v2004-en-20220113
General
-
Target
1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe
-
Size
60KB
-
MD5
ea999fa64a279c22c59340c4efca7c0e
-
SHA1
f920d34b3c28ad801d142495c25804b15b553c2a
-
SHA256
1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1
-
SHA512
903bb0d26406173f9b3264a593c00f914b050a3c3e8ee4e62f4417ab1dc98ea5f1e810021229d36ba8894f822d31f8a9dc186d0704fbe73ae44f453dd81c0efe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 444 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3100 svchost.exe Token: SeCreatePagefilePrivilege 3100 svchost.exe Token: SeShutdownPrivilege 3100 svchost.exe Token: SeCreatePagefilePrivilege 3100 svchost.exe Token: SeShutdownPrivilege 3100 svchost.exe Token: SeCreatePagefilePrivilege 3100 svchost.exe Token: SeIncBasePriorityPrivilege 4636 1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe Token: SeBackupPrivilege 844 TiWorker.exe Token: SeRestorePrivilege 844 TiWorker.exe Token: SeSecurityPrivilege 844 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.execmd.exedescription pid process target process PID 4636 wrote to memory of 444 4636 1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe MediaCenter.exe PID 4636 wrote to memory of 444 4636 1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe MediaCenter.exe PID 4636 wrote to memory of 444 4636 1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe MediaCenter.exe PID 4636 wrote to memory of 1124 4636 1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe cmd.exe PID 4636 wrote to memory of 1124 4636 1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe cmd.exe PID 4636 wrote to memory of 1124 4636 1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe cmd.exe PID 1124 wrote to memory of 1108 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 1108 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 1108 1124 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe"C:\Users\Admin\AppData\Local\Temp\1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1611559456df41c2e5b21638ed30591921f2d22df798293fd56f84d3d26ef9f1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
90818e221c1074bb1d4409436b59faae
SHA1f43759f767a0ff322b35be75149a8e65d257bf98
SHA256d22a21e456b7c446990791e95467ea04ee4f5f7c5e824c45c7036b0b1af9f690
SHA5125df3a9ed96c11812f3981025c76805e93587617a71566d619b63c3215a56b0372c6509d96ddff7fb6581ecaf9d3ed3688f6664987da18072c221ab78a82566ef
-
MD5
90818e221c1074bb1d4409436b59faae
SHA1f43759f767a0ff322b35be75149a8e65d257bf98
SHA256d22a21e456b7c446990791e95467ea04ee4f5f7c5e824c45c7036b0b1af9f690
SHA5125df3a9ed96c11812f3981025c76805e93587617a71566d619b63c3215a56b0372c6509d96ddff7fb6581ecaf9d3ed3688f6664987da18072c221ab78a82566ef