Analysis
-
max time kernel
152s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:03
Static task
static1
Behavioral task
behavioral1
Sample
13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exe
Resource
win10v2004-en-20220113
General
-
Target
13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exe
-
Size
35KB
-
MD5
3e63be59618cd25d5a65ac0f179e269e
-
SHA1
07b498e71d29be5bcfb55c5d4f2fe8dba720ad72
-
SHA256
13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796
-
SHA512
de4d68298626892bf1e759746258f11c13e89a0fcb97cdfc1c6a2f825eb61de9a36e1b5243d5fec60a427361e6e87ef8ab22255f8e2692823c471d4c411b896f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4844 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4024 svchost.exe Token: SeCreatePagefilePrivilege 4024 svchost.exe Token: SeShutdownPrivilege 4024 svchost.exe Token: SeCreatePagefilePrivilege 4024 svchost.exe Token: SeShutdownPrivilege 4024 svchost.exe Token: SeCreatePagefilePrivilege 4024 svchost.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.execmd.exedescription pid process target process PID 388 wrote to memory of 4844 388 13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exe MediaCenter.exe PID 388 wrote to memory of 4844 388 13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exe MediaCenter.exe PID 388 wrote to memory of 4844 388 13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exe MediaCenter.exe PID 388 wrote to memory of 1584 388 13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exe cmd.exe PID 388 wrote to memory of 1584 388 13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exe cmd.exe PID 388 wrote to memory of 1584 388 13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exe cmd.exe PID 1584 wrote to memory of 3364 1584 cmd.exe PING.EXE PID 1584 wrote to memory of 3364 1584 cmd.exe PING.EXE PID 1584 wrote to memory of 3364 1584 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exe"C:\Users\Admin\AppData\Local\Temp\13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13c9f7143089222820b34cb309b8e19530519e5f3f80db589bff6984fc1d8796.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3364
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
65d82e4ae386d5b2524f40ae82e18abd
SHA12ea766806baaa7ddfce5fdb5fe151f738f5ac5cf
SHA256acd8e5efcbbd5c936e962a402f5e6ceb0d8114a52cb87bdc0795235243c52e3a
SHA512947bf3311a7a6dc6358577335faac4b5c8250bd9df9d18d6f618237b0fc8e8f1fa719b9d603a49b286c01fd88d48a0b795d68a86ab22f1e0e6f7cf91a4c3a86c
-
MD5
65d82e4ae386d5b2524f40ae82e18abd
SHA12ea766806baaa7ddfce5fdb5fe151f738f5ac5cf
SHA256acd8e5efcbbd5c936e962a402f5e6ceb0d8114a52cb87bdc0795235243c52e3a
SHA512947bf3311a7a6dc6358577335faac4b5c8250bd9df9d18d6f618237b0fc8e8f1fa719b9d603a49b286c01fd88d48a0b795d68a86ab22f1e0e6f7cf91a4c3a86c