Analysis
-
max time kernel
142s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:45
Static task
static1
Behavioral task
behavioral1
Sample
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe
Resource
win10v2004-en-20220113
General
-
Target
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe
-
Size
36KB
-
MD5
c73aa935834c45208544470f708fc841
-
SHA1
9d03d558350dd09dd58b70851c258a7e5a18e88a
-
SHA256
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073
-
SHA512
89e66a893855ff7ec2b2f3a94d2b5aac78f91213333d63a3cc2125faecd8be423fc74476ff116eee777b82e636f99a26ebde7d7451f59818712b38bdd8054f9f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1828 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1976 svchost.exe Token: SeCreatePagefilePrivilege 1976 svchost.exe Token: SeShutdownPrivilege 1976 svchost.exe Token: SeCreatePagefilePrivilege 1976 svchost.exe Token: SeShutdownPrivilege 1976 svchost.exe Token: SeCreatePagefilePrivilege 1976 svchost.exe Token: SeIncBasePriorityPrivilege 3416 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe Token: SeBackupPrivilege 1028 TiWorker.exe Token: SeRestorePrivilege 1028 TiWorker.exe Token: SeSecurityPrivilege 1028 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.execmd.exedescription pid process target process PID 3416 wrote to memory of 1828 3416 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe MediaCenter.exe PID 3416 wrote to memory of 1828 3416 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe MediaCenter.exe PID 3416 wrote to memory of 1828 3416 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe MediaCenter.exe PID 3416 wrote to memory of 1084 3416 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe cmd.exe PID 3416 wrote to memory of 1084 3416 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe cmd.exe PID 3416 wrote to memory of 1084 3416 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe cmd.exe PID 1084 wrote to memory of 1812 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1812 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1812 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe"C:\Users\Admin\AppData\Local\Temp\11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e8afc1dee7dfd23e444f7257f09f19e1
SHA132a1b338ef80787cb88409bea3d5dcfca7145e20
SHA256b7f0ba344f83c7080ef5d9322754d8c09e591cbb68fc109b286d3abfe1cb0bb6
SHA5120c19740d31935de710452c182d65add326f95a75368d185531d485e856a1ba9b18d0a8523b8b11191eb55d65e46f20917b0a146039d126ec1db99efde4f1709d
-
MD5
e8afc1dee7dfd23e444f7257f09f19e1
SHA132a1b338ef80787cb88409bea3d5dcfca7145e20
SHA256b7f0ba344f83c7080ef5d9322754d8c09e591cbb68fc109b286d3abfe1cb0bb6
SHA5120c19740d31935de710452c182d65add326f95a75368d185531d485e856a1ba9b18d0a8523b8b11191eb55d65e46f20917b0a146039d126ec1db99efde4f1709d