Analysis
-
max time kernel
142s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:05
Static task
static1
Behavioral task
behavioral1
Sample
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe
Resource
win10v2004-en-20220113
General
-
Target
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe
-
Size
60KB
-
MD5
dadb09cc32fed64845403a722d2fb4de
-
SHA1
3c4dd074d536f579f855130173fdd80f4166822a
-
SHA256
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0
-
SHA512
9e782903afbc1e9e088ef5678b014b1f9326a63b2541a8f3bfe7205cccbe8dbd17beec73dece49949f2b292c588be6cbbf171b7acc72fc9ea1a9286ff8738b27
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1360 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exedescription pid process Token: SeShutdownPrivilege 3636 svchost.exe Token: SeCreatePagefilePrivilege 3636 svchost.exe Token: SeShutdownPrivilege 3636 svchost.exe Token: SeCreatePagefilePrivilege 3636 svchost.exe Token: SeShutdownPrivilege 3636 svchost.exe Token: SeCreatePagefilePrivilege 3636 svchost.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeIncBasePriorityPrivilege 2724 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.execmd.exedescription pid process target process PID 2724 wrote to memory of 1360 2724 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe MediaCenter.exe PID 2724 wrote to memory of 1360 2724 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe MediaCenter.exe PID 2724 wrote to memory of 1360 2724 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe MediaCenter.exe PID 2724 wrote to memory of 3260 2724 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe cmd.exe PID 2724 wrote to memory of 3260 2724 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe cmd.exe PID 2724 wrote to memory of 3260 2724 16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe cmd.exe PID 3260 wrote to memory of 776 3260 cmd.exe PING.EXE PID 3260 wrote to memory of 776 3260 cmd.exe PING.EXE PID 3260 wrote to memory of 776 3260 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe"C:\Users\Admin\AppData\Local\Temp\16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16148524700ed5177a4ae42c7030c037d9a2d2db0de7df463e2321a8b61925b0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:776
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2124
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4f0bca2f93805a25566e80bfec1998b0
SHA1b74a4bc370fa23f7e2fc582a42d069171ba684b3
SHA2562cc64e49d0601ed249c5263d8231d778033ec03da0996edf24f0bccfdcb15ec0
SHA512a217d30f1afa58dc52803b11869e1aba4fe3972e818be15c5a37bcc59e29b681c5dbae829bbcc3f4b71904686d860a347203f23ef10dee60d9958c7c750fcfe8
-
MD5
4f0bca2f93805a25566e80bfec1998b0
SHA1b74a4bc370fa23f7e2fc582a42d069171ba684b3
SHA2562cc64e49d0601ed249c5263d8231d778033ec03da0996edf24f0bccfdcb15ec0
SHA512a217d30f1afa58dc52803b11869e1aba4fe3972e818be15c5a37bcc59e29b681c5dbae829bbcc3f4b71904686d860a347203f23ef10dee60d9958c7c750fcfe8