Analysis
-
max time kernel
158s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:52
Static task
static1
Behavioral task
behavioral1
Sample
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe
Resource
win10v2004-en-20220113
General
-
Target
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe
-
Size
60KB
-
MD5
a87dd3b6f1ab2be3d8a6d9efdffb384d
-
SHA1
43d5e8fb96620b0c5a0c3cb02309f882938ef1f3
-
SHA256
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b
-
SHA512
263869bd707da3c4da81f8387027b0edf3627109f59dca14b97f912afb478a6226112c9afffcde39c13d1c59beb8cc0bcd381de602898474e9abad213caabb5d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3644 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3108 svchost.exe Token: SeCreatePagefilePrivilege 3108 svchost.exe Token: SeShutdownPrivilege 3108 svchost.exe Token: SeCreatePagefilePrivilege 3108 svchost.exe Token: SeShutdownPrivilege 3108 svchost.exe Token: SeCreatePagefilePrivilege 3108 svchost.exe Token: SeIncBasePriorityPrivilege 2116 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.execmd.exedescription pid process target process PID 2116 wrote to memory of 3644 2116 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe MediaCenter.exe PID 2116 wrote to memory of 3644 2116 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe MediaCenter.exe PID 2116 wrote to memory of 3644 2116 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe MediaCenter.exe PID 2116 wrote to memory of 3036 2116 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe cmd.exe PID 2116 wrote to memory of 3036 2116 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe cmd.exe PID 2116 wrote to memory of 3036 2116 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe cmd.exe PID 3036 wrote to memory of 3500 3036 cmd.exe PING.EXE PID 3036 wrote to memory of 3500 3036 cmd.exe PING.EXE PID 3036 wrote to memory of 3500 3036 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe"C:\Users\Admin\AppData\Local\Temp\1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a19dc3bd4fe3e4ddb9603f47d10e371d
SHA1d4e86e1b2ea191cc8ed14cc667cec92232c1786a
SHA25687046e27644c41c4e3cee67f69b1fae4d40e155cfb3d94b3e95eff828cc53d68
SHA512bd93e6d6fc111d40f7f2f10345583aa7732f9d66e3592fcf42f9f3bfc71e3a6fd5b9333ae58be975439d55f1ff83d22ebdcb089633ce00e0628de812e43671ad
-
MD5
a19dc3bd4fe3e4ddb9603f47d10e371d
SHA1d4e86e1b2ea191cc8ed14cc667cec92232c1786a
SHA25687046e27644c41c4e3cee67f69b1fae4d40e155cfb3d94b3e95eff828cc53d68
SHA512bd93e6d6fc111d40f7f2f10345583aa7732f9d66e3592fcf42f9f3bfc71e3a6fd5b9333ae58be975439d55f1ff83d22ebdcb089633ce00e0628de812e43671ad