Analysis
-
max time kernel
136s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:33
Static task
static1
Behavioral task
behavioral1
Sample
125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe
Resource
win10v2004-en-20220113
General
-
Target
125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe
-
Size
35KB
-
MD5
0c1eb61d71487c65a019b983c432c7cc
-
SHA1
05377f2f0015817a69608a18bb1ba1b994bceb8a
-
SHA256
125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c
-
SHA512
fad99f54c820a524b78b4f8e4da4abd03608b1bf9a4910423b30523710831d5646bbd0b1778d119867ec908c9f83384dcc2e44de32f4d4653c66caa9ed311546
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1836 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 408 125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe Token: SeShutdownPrivilege 624 svchost.exe Token: SeCreatePagefilePrivilege 624 svchost.exe Token: SeShutdownPrivilege 624 svchost.exe Token: SeCreatePagefilePrivilege 624 svchost.exe Token: SeShutdownPrivilege 624 svchost.exe Token: SeCreatePagefilePrivilege 624 svchost.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe Token: SeBackupPrivilege 456 TiWorker.exe Token: SeRestorePrivilege 456 TiWorker.exe Token: SeSecurityPrivilege 456 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.execmd.exedescription pid process target process PID 408 wrote to memory of 1836 408 125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe MediaCenter.exe PID 408 wrote to memory of 1836 408 125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe MediaCenter.exe PID 408 wrote to memory of 1836 408 125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe MediaCenter.exe PID 408 wrote to memory of 1492 408 125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe cmd.exe PID 408 wrote to memory of 1492 408 125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe cmd.exe PID 408 wrote to memory of 1492 408 125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe cmd.exe PID 1492 wrote to memory of 812 1492 cmd.exe PING.EXE PID 1492 wrote to memory of 812 1492 cmd.exe PING.EXE PID 1492 wrote to memory of 812 1492 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe"C:\Users\Admin\AppData\Local\Temp\125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:624
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:456
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2d987c41f907c9ff20469b7904594225
SHA14d47976b8dd9758031bc9b7c12b9c17634186caf
SHA2564a52dd6779cf15288147b6aefa25b6ab52af2bee78d531f04c3d0fd3ed1fc55a
SHA512383cf0298335fed564d43d75e4aa35aef68ebc4a76296740308359d874afc90d275d0d023fad780347535c150ae5eb03ade354bb4825754a6f827d1c14da3280
-
MD5
2d987c41f907c9ff20469b7904594225
SHA14d47976b8dd9758031bc9b7c12b9c17634186caf
SHA2564a52dd6779cf15288147b6aefa25b6ab52af2bee78d531f04c3d0fd3ed1fc55a
SHA512383cf0298335fed564d43d75e4aa35aef68ebc4a76296740308359d874afc90d275d0d023fad780347535c150ae5eb03ade354bb4825754a6f827d1c14da3280