Analysis
-
max time kernel
132s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:15
Static task
static1
Behavioral task
behavioral1
Sample
15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe
Resource
win10v2004-en-20220113
General
-
Target
15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe
-
Size
35KB
-
MD5
3c1176118bbe7b3870e5dbb330ab9520
-
SHA1
afac36437694a5a61c10a207396a6a134c727dc4
-
SHA256
15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53
-
SHA512
c1a4c4b2fd104e0d385db599c74bbf1541ac8606a660e1f1ce58cfc48388a71112bb6993f6e0b91abccb71c9b499305127ea105522d885c86e692f4a873989f5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 448 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exedescription pid process Token: SeShutdownPrivilege 1144 svchost.exe Token: SeCreatePagefilePrivilege 1144 svchost.exe Token: SeShutdownPrivilege 1144 svchost.exe Token: SeCreatePagefilePrivilege 1144 svchost.exe Token: SeShutdownPrivilege 1144 svchost.exe Token: SeCreatePagefilePrivilege 1144 svchost.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeIncBasePriorityPrivilege 4444 15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe Token: SeBackupPrivilege 1108 TiWorker.exe Token: SeRestorePrivilege 1108 TiWorker.exe Token: SeSecurityPrivilege 1108 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.execmd.exedescription pid process target process PID 4444 wrote to memory of 448 4444 15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe MediaCenter.exe PID 4444 wrote to memory of 448 4444 15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe MediaCenter.exe PID 4444 wrote to memory of 448 4444 15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe MediaCenter.exe PID 4444 wrote to memory of 4976 4444 15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe cmd.exe PID 4444 wrote to memory of 4976 4444 15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe cmd.exe PID 4444 wrote to memory of 4976 4444 15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe cmd.exe PID 4976 wrote to memory of 3000 4976 cmd.exe PING.EXE PID 4976 wrote to memory of 3000 4976 cmd.exe PING.EXE PID 4976 wrote to memory of 3000 4976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe"C:\Users\Admin\AppData\Local\Temp\15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15aa71c370943f7823a94da9389383c60273ad6c10cfb4bbcfec021638eb6e53.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ca8d13c46e7e85a8a4b4a43f398fc42e
SHA11c444ce5ef637f8c2aeca00fddc77210cbd5c154
SHA256e7dcbc83b72ff5e7abf827b3c001c3d6f575efcdd7adb416a096ac803038a0e0
SHA512abdc25dc779546a4ef29560b177e564e35af29dcc64d072d4a00b9c8bcd1652618ac6694d1858a33a17cf6f1abadbf365cb1a34b4f15fca698575a4e734e0060
-
MD5
ca8d13c46e7e85a8a4b4a43f398fc42e
SHA11c444ce5ef637f8c2aeca00fddc77210cbd5c154
SHA256e7dcbc83b72ff5e7abf827b3c001c3d6f575efcdd7adb416a096ac803038a0e0
SHA512abdc25dc779546a4ef29560b177e564e35af29dcc64d072d4a00b9c8bcd1652618ac6694d1858a33a17cf6f1abadbf365cb1a34b4f15fca698575a4e734e0060