Analysis
-
max time kernel
148s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:23
Static task
static1
Behavioral task
behavioral1
Sample
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe
Resource
win10v2004-en-20220113
General
-
Target
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe
-
Size
35KB
-
MD5
d4ede4ee7b47d0134bcba66182f04c2a
-
SHA1
14e7b70de341667d276c3a5253e21b9e3a6b8987
-
SHA256
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe
-
SHA512
e41f6dc6978fd076c72b4331b7f1e5b5e85b5996bdc3bfa733c78ecf35860b593eb480a19481785612d423d233eb7b1cc4b60e599bd27c675731e1af864ae3a1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4452 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2996 svchost.exe Token: SeCreatePagefilePrivilege 2996 svchost.exe Token: SeShutdownPrivilege 2996 svchost.exe Token: SeCreatePagefilePrivilege 2996 svchost.exe Token: SeShutdownPrivilege 2996 svchost.exe Token: SeCreatePagefilePrivilege 2996 svchost.exe Token: SeIncBasePriorityPrivilege 4752 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.execmd.exedescription pid process target process PID 4752 wrote to memory of 4452 4752 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe MediaCenter.exe PID 4752 wrote to memory of 4452 4752 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe MediaCenter.exe PID 4752 wrote to memory of 4452 4752 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe MediaCenter.exe PID 4752 wrote to memory of 4740 4752 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe cmd.exe PID 4752 wrote to memory of 4740 4752 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe cmd.exe PID 4752 wrote to memory of 4740 4752 102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe cmd.exe PID 4740 wrote to memory of 1124 4740 cmd.exe PING.EXE PID 4740 wrote to memory of 1124 4740 cmd.exe PING.EXE PID 4740 wrote to memory of 1124 4740 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe"C:\Users\Admin\AppData\Local\Temp\102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\102dcd59db57f80c64e544a4d48bb548fd4c840191d9287a1d148901a54b01fe.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4f5d59f1fe0acadc83318d582b068838
SHA1eb026ce2ef00d518df57e9664d8390bc290c788b
SHA25605806e42d9380e6bb0d2cf79136b896334c9c58ffb1492499861717e8c0e8564
SHA512cec544ff267e1f1aa56d041438d77a6011fdbf9263e9e3ed47f87b8e937851e6aad8c3265e62daad8993b2a313edf41f8d84e3db1bc6efcf8a50ac2747751ff5
-
MD5
4f5d59f1fe0acadc83318d582b068838
SHA1eb026ce2ef00d518df57e9664d8390bc290c788b
SHA25605806e42d9380e6bb0d2cf79136b896334c9c58ffb1492499861717e8c0e8564
SHA512cec544ff267e1f1aa56d041438d77a6011fdbf9263e9e3ed47f87b8e937851e6aad8c3265e62daad8993b2a313edf41f8d84e3db1bc6efcf8a50ac2747751ff5