Analysis
-
max time kernel
154s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:54
Static task
static1
Behavioral task
behavioral1
Sample
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe
Resource
win10v2004-en-20220113
General
-
Target
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe
-
Size
60KB
-
MD5
efed97621a858a69fd74fadb229f48a9
-
SHA1
a8ce01e42010292968ee69addd4fa7f697e6697a
-
SHA256
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc
-
SHA512
5fe164f70537c0e92bafd7f11806cde00513a75004682e2376822df67d653082649d4fc205feb229487b254a0c722ec0b9c1796cad0e1664ca8165256c675742
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1428 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1500 svchost.exe Token: SeCreatePagefilePrivilege 1500 svchost.exe Token: SeShutdownPrivilege 1500 svchost.exe Token: SeCreatePagefilePrivilege 1500 svchost.exe Token: SeShutdownPrivilege 1500 svchost.exe Token: SeCreatePagefilePrivilege 1500 svchost.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.execmd.exedescription pid process target process PID 952 wrote to memory of 1428 952 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe MediaCenter.exe PID 952 wrote to memory of 1428 952 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe MediaCenter.exe PID 952 wrote to memory of 1428 952 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe MediaCenter.exe PID 952 wrote to memory of 1508 952 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe cmd.exe PID 952 wrote to memory of 1508 952 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe cmd.exe PID 952 wrote to memory of 1508 952 14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe cmd.exe PID 1508 wrote to memory of 1656 1508 cmd.exe PING.EXE PID 1508 wrote to memory of 1656 1508 cmd.exe PING.EXE PID 1508 wrote to memory of 1656 1508 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe"C:\Users\Admin\AppData\Local\Temp\14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14180789f0338ecf53e144d68855ed903ce1edd6449b05200ca1b997b33ea4fc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a522efb3766f5b7adcb6fc282c592eec
SHA1a11eda74b7838542401ba8127e8ca98b832b79b9
SHA2563ecf27706cbaa1998bc86c05122b081c198f1ebfd97b61e0e7633d7124b5d54f
SHA5125d7ea3352d0b7a48b398da864962d30f35a17265bfb645230eb68a7dd4a5ec9e5729feff04ebbe1d22f299ddff4a64c3059ed3f8796fd44b79bbcc138dd2a678
-
MD5
a522efb3766f5b7adcb6fc282c592eec
SHA1a11eda74b7838542401ba8127e8ca98b832b79b9
SHA2563ecf27706cbaa1998bc86c05122b081c198f1ebfd97b61e0e7633d7124b5d54f
SHA5125d7ea3352d0b7a48b398da864962d30f35a17265bfb645230eb68a7dd4a5ec9e5729feff04ebbe1d22f299ddff4a64c3059ed3f8796fd44b79bbcc138dd2a678