Analysis
-
max time kernel
132s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:32
Static task
static1
Behavioral task
behavioral1
Sample
1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exe
Resource
win10v2004-en-20220113
General
-
Target
1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exe
-
Size
58KB
-
MD5
bfac929946e46258723f7f61e7ceef63
-
SHA1
a782fb4cea03db43c1db60dc0502ee975a7d9090
-
SHA256
1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529
-
SHA512
263a4cf6fffc890c9e23de957ff621ba08e8b4be746ca1c4c2a944c6623ee4d3ca5e7b7ff76b8ba0e659a1d747bca6d3b43cb510cfe2f1f1af7c6281d592cf8e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4716 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2280 svchost.exe Token: SeCreatePagefilePrivilege 2280 svchost.exe Token: SeShutdownPrivilege 2280 svchost.exe Token: SeCreatePagefilePrivilege 2280 svchost.exe Token: SeShutdownPrivilege 2280 svchost.exe Token: SeCreatePagefilePrivilege 2280 svchost.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe Token: SeRestorePrivilege 4696 TiWorker.exe Token: SeSecurityPrivilege 4696 TiWorker.exe Token: SeBackupPrivilege 4696 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.execmd.exedescription pid process target process PID 4736 wrote to memory of 4716 4736 1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exe MediaCenter.exe PID 4736 wrote to memory of 4716 4736 1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exe MediaCenter.exe PID 4736 wrote to memory of 4716 4736 1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exe MediaCenter.exe PID 4736 wrote to memory of 2176 4736 1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exe cmd.exe PID 4736 wrote to memory of 2176 4736 1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exe cmd.exe PID 4736 wrote to memory of 2176 4736 1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exe cmd.exe PID 2176 wrote to memory of 2328 2176 cmd.exe PING.EXE PID 2176 wrote to memory of 2328 2176 cmd.exe PING.EXE PID 2176 wrote to memory of 2328 2176 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exe"C:\Users\Admin\AppData\Local\Temp\1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1266c5db7594b9610c0ba0d218c766f97a1e0c6c82ab90ebc6f0bc6239b82529.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3dbf6f8ac94c16fee5cfd11bea05fd75
SHA1f64dbf6022ba66fa09897d65d52dab45bc07d5bd
SHA256f75b9a142ab9d87e6496055aec78dba4e6d76e53b7c52ff8b6b5f765f65da603
SHA51278ef7dc910fba40e89735714c3a293036882bc183b868e2bcf5c5ed4150ddf4018feed595c6d4eb4a8cc386ede004680536bc6b78b93e03dab8c684377b26c0f
-
MD5
3dbf6f8ac94c16fee5cfd11bea05fd75
SHA1f64dbf6022ba66fa09897d65d52dab45bc07d5bd
SHA256f75b9a142ab9d87e6496055aec78dba4e6d76e53b7c52ff8b6b5f765f65da603
SHA51278ef7dc910fba40e89735714c3a293036882bc183b868e2bcf5c5ed4150ddf4018feed595c6d4eb4a8cc386ede004680536bc6b78b93e03dab8c684377b26c0f