Analysis
-
max time kernel
133s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:35
Static task
static1
Behavioral task
behavioral1
Sample
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe
Resource
win10v2004-en-20220113
General
-
Target
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe
-
Size
58KB
-
MD5
d376819fef49c1655282ae0bb9149038
-
SHA1
db953b827f759d146baf25c15a812b4f9e914c5e
-
SHA256
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5
-
SHA512
4410f94d322be8ce0e142a46077a247c0beff37da9954f9396c90f5bd2c24e733915a317256fa6d516316a5a947023e8cd67e93ac1ccd8b9d18ce0dc0d65a4c8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 5024 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exedescription pid process Token: SeShutdownPrivilege 4300 svchost.exe Token: SeCreatePagefilePrivilege 4300 svchost.exe Token: SeShutdownPrivilege 4300 svchost.exe Token: SeCreatePagefilePrivilege 4300 svchost.exe Token: SeShutdownPrivilege 4300 svchost.exe Token: SeCreatePagefilePrivilege 4300 svchost.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeIncBasePriorityPrivilege 536 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.execmd.exedescription pid process target process PID 536 wrote to memory of 5024 536 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe MediaCenter.exe PID 536 wrote to memory of 5024 536 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe MediaCenter.exe PID 536 wrote to memory of 5024 536 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe MediaCenter.exe PID 536 wrote to memory of 992 536 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe cmd.exe PID 536 wrote to memory of 992 536 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe cmd.exe PID 536 wrote to memory of 992 536 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe cmd.exe PID 992 wrote to memory of 2596 992 cmd.exe PING.EXE PID 992 wrote to memory of 2596 992 cmd.exe PING.EXE PID 992 wrote to memory of 2596 992 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe"C:\Users\Admin\AppData\Local\Temp\124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1892
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cb6a846428c679bbeba182008d932881
SHA10674a87a9479719e56d8cc9422838e5f7c626fa4
SHA256ecb6c91c78c0c98805571d884fb646515ef74328e677e27fb7ca59861053ca53
SHA51243eeb6d48ad8aab832a91733393e305c715d02ad56ca6b37971f4008a3eab64a20d94136800d697abdb8040af11d6a83e1281b3d374aecd42c3fe6ee2c9b9e8b
-
MD5
cb6a846428c679bbeba182008d932881
SHA10674a87a9479719e56d8cc9422838e5f7c626fa4
SHA256ecb6c91c78c0c98805571d884fb646515ef74328e677e27fb7ca59861053ca53
SHA51243eeb6d48ad8aab832a91733393e305c715d02ad56ca6b37971f4008a3eab64a20d94136800d697abdb8040af11d6a83e1281b3d374aecd42c3fe6ee2c9b9e8b