Analysis
-
max time kernel
128s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:25
Static task
static1
Behavioral task
behavioral1
Sample
12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe
Resource
win10v2004-en-20220113
General
-
Target
12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe
-
Size
58KB
-
MD5
a66d2231013445452a0b71f9c18f74d5
-
SHA1
7aff0a61e53414c3b5a42f91fec9554deaa3ea09
-
SHA256
12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9
-
SHA512
21c99561a8a8d0e63c2928d7498a241f6051e60d977df62e33232ea009f562560fa23d238c7dfd166f85cc3458b40acd9e3ded2d2c8a5faf988d5296a8ea8562
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1052 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exedescription pid process Token: SeShutdownPrivilege 1348 svchost.exe Token: SeCreatePagefilePrivilege 1348 svchost.exe Token: SeShutdownPrivilege 1348 svchost.exe Token: SeCreatePagefilePrivilege 1348 svchost.exe Token: SeShutdownPrivilege 1348 svchost.exe Token: SeCreatePagefilePrivilege 1348 svchost.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeIncBasePriorityPrivilege 4004 12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe Token: SeBackupPrivilege 4492 TiWorker.exe Token: SeRestorePrivilege 4492 TiWorker.exe Token: SeSecurityPrivilege 4492 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.execmd.exedescription pid process target process PID 4004 wrote to memory of 1052 4004 12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe MediaCenter.exe PID 4004 wrote to memory of 1052 4004 12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe MediaCenter.exe PID 4004 wrote to memory of 1052 4004 12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe MediaCenter.exe PID 4004 wrote to memory of 3500 4004 12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe cmd.exe PID 4004 wrote to memory of 3500 4004 12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe cmd.exe PID 4004 wrote to memory of 3500 4004 12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe cmd.exe PID 3500 wrote to memory of 1148 3500 cmd.exe PING.EXE PID 3500 wrote to memory of 1148 3500 cmd.exe PING.EXE PID 3500 wrote to memory of 1148 3500 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe"C:\Users\Admin\AppData\Local\Temp\12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12ccff0a2ab026d52cb4befb2c56302c1c01eff592b5529ebe57b69dd232c3f9.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1b887dd250bbacfc2e5575b9cb3e06dc
SHA1b5d07896c6a23fee11cf0c45bf075a61fa136e81
SHA2564a04b7e50d85a7233f2c23bad9c140d06fab7b61ae7eb0b070dd2259118334fb
SHA5123fdf034888135b4995f093bcb9e544737d2dd46578ceb685ba40bccc72fe13f0e4e1f00a7f33bbd08ec643451ef25ef1249f10f5063a1c391f2bbb2f16fc5860
-
MD5
1b887dd250bbacfc2e5575b9cb3e06dc
SHA1b5d07896c6a23fee11cf0c45bf075a61fa136e81
SHA2564a04b7e50d85a7233f2c23bad9c140d06fab7b61ae7eb0b070dd2259118334fb
SHA5123fdf034888135b4995f093bcb9e544737d2dd46578ceb685ba40bccc72fe13f0e4e1f00a7f33bbd08ec643451ef25ef1249f10f5063a1c391f2bbb2f16fc5860