Analysis
-
max time kernel
143s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe
Resource
win10v2004-en-20220113
General
-
Target
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe
-
Size
35KB
-
MD5
bf5cc2eededf22c913f500b744b51bcd
-
SHA1
5bc6be9aa45ab842edd274f67847814292eda450
-
SHA256
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f
-
SHA512
01bdfda49e8181f9513ef083525dfcda239dba7d3960f3aeb8650f258f82169c1146ee1e14f0175a8771f7faef4445a2f2470b82533c8340ccc1df1176f71be3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1544 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3620 svchost.exe Token: SeCreatePagefilePrivilege 3620 svchost.exe Token: SeShutdownPrivilege 3620 svchost.exe Token: SeCreatePagefilePrivilege 3620 svchost.exe Token: SeShutdownPrivilege 3620 svchost.exe Token: SeCreatePagefilePrivilege 3620 svchost.exe Token: SeIncBasePriorityPrivilege 456 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.execmd.exedescription pid process target process PID 456 wrote to memory of 1544 456 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe MediaCenter.exe PID 456 wrote to memory of 1544 456 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe MediaCenter.exe PID 456 wrote to memory of 1544 456 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe MediaCenter.exe PID 456 wrote to memory of 2852 456 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe cmd.exe PID 456 wrote to memory of 2852 456 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe cmd.exe PID 456 wrote to memory of 2852 456 1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe cmd.exe PID 2852 wrote to memory of 4064 2852 cmd.exe PING.EXE PID 2852 wrote to memory of 4064 2852 cmd.exe PING.EXE PID 2852 wrote to memory of 4064 2852 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe"C:\Users\Admin\AppData\Local\Temp\1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1445dd410bb1eb9cb78c3a48db7a35f63c7aea2a3362e2c0e863cc78eed4b13f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2036faa4d4a81a3644351c3e16a052d5
SHA125b3029df7a3f76a7c21606d7db28eddd7c8b244
SHA2567531f2307173819b0c079c0827c1cb5f13462c3f556e920e355b3effa966db9e
SHA512fb090f4e9b34e1caf0472b1e83460bcd0645d2acdf2097967f90471b9a5dffa098c52a0686edefbd27c52811ec39f2aa64b56477052d6d894fa081d78bdb2bdb
-
MD5
2036faa4d4a81a3644351c3e16a052d5
SHA125b3029df7a3f76a7c21606d7db28eddd7c8b244
SHA2567531f2307173819b0c079c0827c1cb5f13462c3f556e920e355b3effa966db9e
SHA512fb090f4e9b34e1caf0472b1e83460bcd0645d2acdf2097967f90471b9a5dffa098c52a0686edefbd27c52811ec39f2aa64b56477052d6d894fa081d78bdb2bdb