Analysis
-
max time kernel
131s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:22
Static task
static1
Behavioral task
behavioral1
Sample
156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe
Resource
win10v2004-en-20220113
General
-
Target
156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe
-
Size
58KB
-
MD5
828a65df60539157574421059c6d2376
-
SHA1
2fee5c55e1f81ac1a36b96f0b3e5b6b166231bb0
-
SHA256
156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802
-
SHA512
2ef8449c9bc738790ad3447cd829901c2172dcb626b0a3bbc6bc31ef4fbf9187cacbb8429602b9a485bc8baefdf8dd85c2c7b91f3e31b419237bd5a1763f9ae2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4892 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1552 svchost.exe Token: SeCreatePagefilePrivilege 1552 svchost.exe Token: SeShutdownPrivilege 1552 svchost.exe Token: SeCreatePagefilePrivilege 1552 svchost.exe Token: SeShutdownPrivilege 1552 svchost.exe Token: SeCreatePagefilePrivilege 1552 svchost.exe Token: SeIncBasePriorityPrivilege 3956 156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.execmd.exedescription pid process target process PID 3956 wrote to memory of 4892 3956 156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe MediaCenter.exe PID 3956 wrote to memory of 4892 3956 156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe MediaCenter.exe PID 3956 wrote to memory of 4892 3956 156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe MediaCenter.exe PID 3956 wrote to memory of 3568 3956 156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe cmd.exe PID 3956 wrote to memory of 3568 3956 156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe cmd.exe PID 3956 wrote to memory of 3568 3956 156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe cmd.exe PID 3568 wrote to memory of 2256 3568 cmd.exe PING.EXE PID 3568 wrote to memory of 2256 3568 cmd.exe PING.EXE PID 3568 wrote to memory of 2256 3568 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe"C:\Users\Admin\AppData\Local\Temp\156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\156a70db2f13d31f0fe932d9cc2f414cf8f76f93f7056c50d6218c52b5d0e802.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2256
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0d7e4fc0b732b138cc68a385f821531f
SHA17af7a2e9f609fa46d14e5ad9fc03b17e83688e49
SHA2567b0972c49ee4749027ef8201b4b288bb2f3051241452953d9db7b31f7514a45a
SHA512fb7bf5ab2ca41bd42abb797bad6d676481136ad84f318fb36c2c50cf706c0f898e52e98fe01b30f6d2a2567250bc1f84dcffe111da522c6b82d7edb64a023364
-
MD5
0d7e4fc0b732b138cc68a385f821531f
SHA17af7a2e9f609fa46d14e5ad9fc03b17e83688e49
SHA2567b0972c49ee4749027ef8201b4b288bb2f3051241452953d9db7b31f7514a45a
SHA512fb7bf5ab2ca41bd42abb797bad6d676481136ad84f318fb36c2c50cf706c0f898e52e98fe01b30f6d2a2567250bc1f84dcffe111da522c6b82d7edb64a023364