Analysis
-
max time kernel
138s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:17
Static task
static1
Behavioral task
behavioral1
Sample
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe
Resource
win10v2004-en-20220113
General
-
Target
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe
-
Size
58KB
-
MD5
fcfdc8f1721f7bc4eec116875c5641fb
-
SHA1
bffa64cc0699cfa1c0670e938ca46a4de0bf53f3
-
SHA256
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4
-
SHA512
27fef9e7b247475189613fc2de4f4b51b99ffbfe2bb3774127264d1f5c386cc5e10823998c118471541bfa19a84109730efc4c0ce8056773d325b949edacc7a2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4720 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1132 svchost.exe Token: SeCreatePagefilePrivilege 1132 svchost.exe Token: SeShutdownPrivilege 1132 svchost.exe Token: SeCreatePagefilePrivilege 1132 svchost.exe Token: SeShutdownPrivilege 1132 svchost.exe Token: SeCreatePagefilePrivilege 1132 svchost.exe Token: SeIncBasePriorityPrivilege 2436 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe Token: SeBackupPrivilege 3332 TiWorker.exe Token: SeRestorePrivilege 3332 TiWorker.exe Token: SeSecurityPrivilege 3332 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.execmd.exedescription pid process target process PID 2436 wrote to memory of 4720 2436 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe MediaCenter.exe PID 2436 wrote to memory of 4720 2436 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe MediaCenter.exe PID 2436 wrote to memory of 4720 2436 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe MediaCenter.exe PID 2436 wrote to memory of 3932 2436 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe cmd.exe PID 2436 wrote to memory of 3932 2436 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe cmd.exe PID 2436 wrote to memory of 3932 2436 159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe cmd.exe PID 3932 wrote to memory of 3204 3932 cmd.exe PING.EXE PID 3932 wrote to memory of 3204 3932 cmd.exe PING.EXE PID 3932 wrote to memory of 3204 3932 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe"C:\Users\Admin\AppData\Local\Temp\159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\159b9eef8b529f676b27b13578bbfdf5b24ea9659aef861f4ff88f16ebf742c4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3204
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d8617dcfca66340769a5e11f218f8a6b
SHA12742542328c657869017d60eec80b34dd9750d7a
SHA2567a4a93fb7566b9c3b26c4cb034f6dbdec44594946eaef16a48fc759e5e287293
SHA512989ee59a3c05cefe0c2c39d8f27b7a2d94fd4a3481a662a9dfde70fd36484fc23e00675baba65fbdbd6f008977b75886172b6633a34f5640deccb207550eb0e5
-
MD5
d8617dcfca66340769a5e11f218f8a6b
SHA12742542328c657869017d60eec80b34dd9750d7a
SHA2567a4a93fb7566b9c3b26c4cb034f6dbdec44594946eaef16a48fc759e5e287293
SHA512989ee59a3c05cefe0c2c39d8f27b7a2d94fd4a3481a662a9dfde70fd36484fc23e00675baba65fbdbd6f008977b75886172b6633a34f5640deccb207550eb0e5