Analysis
-
max time kernel
126s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:18
Static task
static1
Behavioral task
behavioral1
Sample
1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe
Resource
win10v2004-en-20220113
General
-
Target
1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe
-
Size
60KB
-
MD5
d3d80e0ba192a4e9c4f3499653ee2caf
-
SHA1
d2d2bc433ea938fbc278e3bc0d3c73b97e471c2b
-
SHA256
1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd
-
SHA512
4ed887beb7e07b9c5c1a7918f80ab90c5cdb266e599c49f145cda6d1701bd7d3c7df7e4cf477a56bbf7357f584b2ad29446d146968a97fc56c5bf11d1f9a0b14
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 60 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1708 svchost.exe Token: SeCreatePagefilePrivilege 1708 svchost.exe Token: SeShutdownPrivilege 1708 svchost.exe Token: SeCreatePagefilePrivilege 1708 svchost.exe Token: SeShutdownPrivilege 1708 svchost.exe Token: SeCreatePagefilePrivilege 1708 svchost.exe Token: SeIncBasePriorityPrivilege 1136 1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe Token: SeBackupPrivilege 1548 TiWorker.exe Token: SeRestorePrivilege 1548 TiWorker.exe Token: SeSecurityPrivilege 1548 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.execmd.exedescription pid process target process PID 1136 wrote to memory of 60 1136 1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe MediaCenter.exe PID 1136 wrote to memory of 60 1136 1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe MediaCenter.exe PID 1136 wrote to memory of 60 1136 1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe MediaCenter.exe PID 1136 wrote to memory of 4120 1136 1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe cmd.exe PID 1136 wrote to memory of 4120 1136 1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe cmd.exe PID 1136 wrote to memory of 4120 1136 1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe cmd.exe PID 4120 wrote to memory of 5068 4120 cmd.exe PING.EXE PID 4120 wrote to memory of 5068 4120 cmd.exe PING.EXE PID 4120 wrote to memory of 5068 4120 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe"C:\Users\Admin\AppData\Local\Temp\1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1058050289d02e8cfc203b5505bd50e7caf7943ff64f315b49da07ccb8539edd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1548
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
95e742d71b2491597b1f5d44bc1131d9
SHA1f6afec5ec07edf2806caf6d1e115ce4d21cb4d04
SHA25653f380d926ec22e8cfaadd9145a5879749fd792b4019a96bb6683e9ff960b7ab
SHA512ae84ef1b1e7b6897531ecf082da4d7c0fd2a81e9a6a174d7c698ab3960e4a7a4f0eb221b74db8ad8f558b56a32b3251990bc0e6bfdf05f70f81801db7dad7cde
-
MD5
95e742d71b2491597b1f5d44bc1131d9
SHA1f6afec5ec07edf2806caf6d1e115ce4d21cb4d04
SHA25653f380d926ec22e8cfaadd9145a5879749fd792b4019a96bb6683e9ff960b7ab
SHA512ae84ef1b1e7b6897531ecf082da4d7c0fd2a81e9a6a174d7c698ab3960e4a7a4f0eb221b74db8ad8f558b56a32b3251990bc0e6bfdf05f70f81801db7dad7cde