Analysis
-
max time kernel
145s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:18
Static task
static1
Behavioral task
behavioral1
Sample
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe
Resource
win10v2004-en-20220113
General
-
Target
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe
-
Size
60KB
-
MD5
0658906bf06ae7d4875a36f7fcd313ab
-
SHA1
1e4ccdd90eb4f80cad88ef1a699b62bd11158a83
-
SHA256
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650
-
SHA512
60d99632218d73ffb202537962e800be6afe1cb8a5e61983466430f6b96f49541ddfaae1306be80e2a5a0865b4a56a6f212501bc49fec505b137cc848f713491
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 484 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3512 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe Token: SeShutdownPrivilege 2520 svchost.exe Token: SeCreatePagefilePrivilege 2520 svchost.exe Token: SeShutdownPrivilege 2520 svchost.exe Token: SeCreatePagefilePrivilege 2520 svchost.exe Token: SeShutdownPrivilege 2520 svchost.exe Token: SeCreatePagefilePrivilege 2520 svchost.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe Token: SeBackupPrivilege 3836 TiWorker.exe Token: SeRestorePrivilege 3836 TiWorker.exe Token: SeSecurityPrivilege 3836 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.execmd.exedescription pid process target process PID 3512 wrote to memory of 484 3512 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe MediaCenter.exe PID 3512 wrote to memory of 484 3512 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe MediaCenter.exe PID 3512 wrote to memory of 484 3512 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe MediaCenter.exe PID 3512 wrote to memory of 796 3512 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe cmd.exe PID 3512 wrote to memory of 796 3512 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe cmd.exe PID 3512 wrote to memory of 796 3512 1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe cmd.exe PID 796 wrote to memory of 3708 796 cmd.exe PING.EXE PID 796 wrote to memory of 3708 796 cmd.exe PING.EXE PID 796 wrote to memory of 3708 796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe"C:\Users\Admin\AppData\Local\Temp\1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1058e150d350bf00e1f4b923c7d55460350a17b386cb9e50f25e5d73aa23c650.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8fa24358a74b38ba0e703b1812c99b5d
SHA17c76dce44bfb0bd9794c8ca0b6cb086cb294ba58
SHA256b16f5be00254d385cefc0bb435e4eb486423040f614958a4ad136f24074e7e15
SHA512b81f975b0cc707d8f5bbbd5ae04a8d99c74088aaf9fcf9ed616fb55f38be9a91ef00959d7859682a0921e449a7bdf8cee5c0d0fa06e2e5cd9c368624db2034dc
-
MD5
8fa24358a74b38ba0e703b1812c99b5d
SHA17c76dce44bfb0bd9794c8ca0b6cb086cb294ba58
SHA256b16f5be00254d385cefc0bb435e4eb486423040f614958a4ad136f24074e7e15
SHA512b81f975b0cc707d8f5bbbd5ae04a8d99c74088aaf9fcf9ed616fb55f38be9a91ef00959d7859682a0921e449a7bdf8cee5c0d0fa06e2e5cd9c368624db2034dc