Analysis
-
max time kernel
158s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:57
Static task
static1
Behavioral task
behavioral1
Sample
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe
Resource
win10v2004-en-20220113
General
-
Target
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe
-
Size
36KB
-
MD5
19f3356171e920c68795117fba4c1909
-
SHA1
8b9ad44bc30158d008bed92e28c1efd854b2d9c0
-
SHA256
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1
-
SHA512
2fd3e0ce3f3beee073a655bb984868667414dbb3a0bd6b3310a4c306d7754c026f395791be68177d9ec537e2c871f4a7d12df17b8fb20aa190d232a4f49cae8f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3512 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2072 svchost.exe Token: SeCreatePagefilePrivilege 2072 svchost.exe Token: SeShutdownPrivilege 2072 svchost.exe Token: SeCreatePagefilePrivilege 2072 svchost.exe Token: SeShutdownPrivilege 2072 svchost.exe Token: SeCreatePagefilePrivilege 2072 svchost.exe Token: SeIncBasePriorityPrivilege 3960 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe Token: SeBackupPrivilege 804 TiWorker.exe Token: SeRestorePrivilege 804 TiWorker.exe Token: SeSecurityPrivilege 804 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.execmd.exedescription pid process target process PID 3960 wrote to memory of 3512 3960 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe MediaCenter.exe PID 3960 wrote to memory of 3512 3960 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe MediaCenter.exe PID 3960 wrote to memory of 3512 3960 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe MediaCenter.exe PID 3960 wrote to memory of 5052 3960 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe cmd.exe PID 3960 wrote to memory of 5052 3960 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe cmd.exe PID 3960 wrote to memory of 5052 3960 13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe cmd.exe PID 5052 wrote to memory of 5048 5052 cmd.exe PING.EXE PID 5052 wrote to memory of 5048 5052 cmd.exe PING.EXE PID 5052 wrote to memory of 5048 5052 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe"C:\Users\Admin\AppData\Local\Temp\13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13f73870c7c3bbb9595514aa5c3cbe0252713661cdcf8c8959004c2564ea92b1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d2206d7e7f23e05b52b0873d96dee897
SHA170e7e00221ec936b44142307969f18b0e582c2bc
SHA256ede49b778ae2b04242ac0cd5cb83b3c5b6105d857c84f7cced4daab48f30337c
SHA51221f8fe266497d5018aff14eaa0fb2ed68fd3156eed87a701a9ea41757ad24f9d81ec179158dea728d93fdfc7f4364c3776d787b2115db32cd1c55f3650c2e4d8
-
MD5
d2206d7e7f23e05b52b0873d96dee897
SHA170e7e00221ec936b44142307969f18b0e582c2bc
SHA256ede49b778ae2b04242ac0cd5cb83b3c5b6105d857c84f7cced4daab48f30337c
SHA51221f8fe266497d5018aff14eaa0fb2ed68fd3156eed87a701a9ea41757ad24f9d81ec179158dea728d93fdfc7f4364c3776d787b2115db32cd1c55f3650c2e4d8