Analysis
-
max time kernel
132s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:37
Static task
static1
Behavioral task
behavioral1
Sample
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe
Resource
win10v2004-en-20220113
General
-
Target
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe
-
Size
36KB
-
MD5
1e5d82d0f9ab8f66d3734c5025d6e9e3
-
SHA1
43a4c686b232f76cf884f9891c0bcf64783e65fe
-
SHA256
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534
-
SHA512
02e0205b4a6972bce5905516ae78697e6dc5cd366b514b012dbd0b4e75fc4458cc8b554fd2c574a49536fae5ef5676b5a07ab2ffc455fc84c12a856d656a889e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3628 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1272 svchost.exe Token: SeCreatePagefilePrivilege 1272 svchost.exe Token: SeShutdownPrivilege 1272 svchost.exe Token: SeCreatePagefilePrivilege 1272 svchost.exe Token: SeShutdownPrivilege 1272 svchost.exe Token: SeCreatePagefilePrivilege 1272 svchost.exe Token: SeIncBasePriorityPrivilege 2780 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.execmd.exedescription pid process target process PID 2780 wrote to memory of 3628 2780 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe MediaCenter.exe PID 2780 wrote to memory of 3628 2780 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe MediaCenter.exe PID 2780 wrote to memory of 3628 2780 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe MediaCenter.exe PID 2780 wrote to memory of 4452 2780 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe cmd.exe PID 2780 wrote to memory of 4452 2780 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe cmd.exe PID 2780 wrote to memory of 4452 2780 122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe cmd.exe PID 4452 wrote to memory of 2068 4452 cmd.exe PING.EXE PID 4452 wrote to memory of 2068 4452 cmd.exe PING.EXE PID 4452 wrote to memory of 2068 4452 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe"C:\Users\Admin\AppData\Local\Temp\122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\122e834c73a33cebf387b66a3de270b223db05a73974c7c1096f558f6ef0c534.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
72576cc67e8c7c75ae4d8309ab455fa1
SHA1ae394f90c3085ab036f1b9a9f440165ff6c16d25
SHA256a8e7c9fec421970b7659ab15371a1e74b125ac09af5d0618fdb5d60be5034f4d
SHA512aa3f2f6eb63d276c2286a618489ecba65f9624adb495dbd663aef13b5af10a7dc92ac307c02a2d0a50993485c2645162b209f2c0793e14330662ec8859749bd1
-
MD5
72576cc67e8c7c75ae4d8309ab455fa1
SHA1ae394f90c3085ab036f1b9a9f440165ff6c16d25
SHA256a8e7c9fec421970b7659ab15371a1e74b125ac09af5d0618fdb5d60be5034f4d
SHA512aa3f2f6eb63d276c2286a618489ecba65f9624adb495dbd663aef13b5af10a7dc92ac307c02a2d0a50993485c2645162b209f2c0793e14330662ec8859749bd1