Analysis
-
max time kernel
153s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:39
Static task
static1
Behavioral task
behavioral1
Sample
14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe
Resource
win10v2004-en-20220113
General
-
Target
14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe
-
Size
35KB
-
MD5
96b95ac7fc5ad2ca41fbaa5b87734002
-
SHA1
fb20cbe463c21d599a4a9f3daead87cb33548499
-
SHA256
14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b
-
SHA512
41f4d08564b7aea8cb369d945bf264143c23b2c7fbca516e5b6048d571bd880eaec32a461267d1fdfbe307db0a6914a6fa027b83fe0adca51ba32b54865d2f04
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1276 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2228 svchost.exe Token: SeCreatePagefilePrivilege 2228 svchost.exe Token: SeShutdownPrivilege 2228 svchost.exe Token: SeCreatePagefilePrivilege 2228 svchost.exe Token: SeShutdownPrivilege 2228 svchost.exe Token: SeCreatePagefilePrivilege 2228 svchost.exe Token: SeIncBasePriorityPrivilege 1788 14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe Token: SeBackupPrivilege 3064 TiWorker.exe Token: SeRestorePrivilege 3064 TiWorker.exe Token: SeSecurityPrivilege 3064 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.execmd.exedescription pid process target process PID 1788 wrote to memory of 1276 1788 14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe MediaCenter.exe PID 1788 wrote to memory of 1276 1788 14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe MediaCenter.exe PID 1788 wrote to memory of 1276 1788 14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe MediaCenter.exe PID 1788 wrote to memory of 2348 1788 14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe cmd.exe PID 1788 wrote to memory of 2348 1788 14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe cmd.exe PID 1788 wrote to memory of 2348 1788 14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe cmd.exe PID 2348 wrote to memory of 824 2348 cmd.exe PING.EXE PID 2348 wrote to memory of 824 2348 cmd.exe PING.EXE PID 2348 wrote to memory of 824 2348 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe"C:\Users\Admin\AppData\Local\Temp\14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14e1581f3143866e93dc1a54aa1aaf32113a6c0da4511b8f5a39db631a13212b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
25fb5335ce0556a18e4cd61628a6d8af
SHA1b88f2b168b7302fac39e72b437185b50a547929a
SHA25619e928a7689ceeae52e9eecf55ec213c5c2dd6d84a3975c9c4d7142390c9107e
SHA51284fa56b36f18b68f15aefc24cdc8faa1958c3587568be255c9df445a09f8ee170f64d392004d6e30bd6c05c876a0965afd4130bf6ccb166f48c74c262c540fa6
-
MD5
25fb5335ce0556a18e4cd61628a6d8af
SHA1b88f2b168b7302fac39e72b437185b50a547929a
SHA25619e928a7689ceeae52e9eecf55ec213c5c2dd6d84a3975c9c4d7142390c9107e
SHA51284fa56b36f18b68f15aefc24cdc8faa1958c3587568be255c9df445a09f8ee170f64d392004d6e30bd6c05c876a0965afd4130bf6ccb166f48c74c262c540fa6