Analysis
-
max time kernel
134s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:55
Static task
static1
Behavioral task
behavioral1
Sample
1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exe
Resource
win10v2004-en-20220113
General
-
Target
1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exe
-
Size
36KB
-
MD5
544dcb305471cb788556bbcc4c5fc623
-
SHA1
999a75a2bc20e72f0c4be47a8c056fb0f4a0954d
-
SHA256
1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e
-
SHA512
40ba24b5fd35fb7a36b1bb89e8c529919bec818b02ac1ee852a67b02273bfc7c4a9087361e5f2e59ec6f9ad5840ea8d23b74f93087a0099f94af0533a0a83c13
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4828 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4476 svchost.exe Token: SeCreatePagefilePrivilege 4476 svchost.exe Token: SeShutdownPrivilege 4476 svchost.exe Token: SeCreatePagefilePrivilege 4476 svchost.exe Token: SeShutdownPrivilege 4476 svchost.exe Token: SeCreatePagefilePrivilege 4476 svchost.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe Token: SeRestorePrivilege 3584 TiWorker.exe Token: SeSecurityPrivilege 3584 TiWorker.exe Token: SeBackupPrivilege 3584 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.execmd.exedescription pid process target process PID 4576 wrote to memory of 4828 4576 1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exe MediaCenter.exe PID 4576 wrote to memory of 4828 4576 1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exe MediaCenter.exe PID 4576 wrote to memory of 4828 4576 1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exe MediaCenter.exe PID 4576 wrote to memory of 424 4576 1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exe cmd.exe PID 4576 wrote to memory of 424 4576 1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exe cmd.exe PID 4576 wrote to memory of 424 4576 1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exe cmd.exe PID 424 wrote to memory of 5084 424 cmd.exe PING.EXE PID 424 wrote to memory of 5084 424 cmd.exe PING.EXE PID 424 wrote to memory of 5084 424 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exe"C:\Users\Admin\AppData\Local\Temp\1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1408075d9c6c7a098c4fbfecbfb80d00fb738305060f7d43910b978a6011af7e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3584
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4551c94d4aaa948d7e8661edc04b655a
SHA1d116d7d6fcf7f7bf737c9af53278ba2f1b8c4840
SHA256ed7a0d785b587bc43c8f0ccd0886813121b24bcc109cd75b1ef8ba17c73dbc38
SHA51268ef0855b52e612f5cc36c6fa2f3a5d7e6f2ab0b03ae8ff660f9e5710c921e2fc8d412258ec2c2aad0e523381b73cc5d74aaea484a594d24076fc32b2c2a62af
-
MD5
4551c94d4aaa948d7e8661edc04b655a
SHA1d116d7d6fcf7f7bf737c9af53278ba2f1b8c4840
SHA256ed7a0d785b587bc43c8f0ccd0886813121b24bcc109cd75b1ef8ba17c73dbc38
SHA51268ef0855b52e612f5cc36c6fa2f3a5d7e6f2ab0b03ae8ff660f9e5710c921e2fc8d412258ec2c2aad0e523381b73cc5d74aaea484a594d24076fc32b2c2a62af