Analysis
-
max time kernel
148s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:46
Static task
static1
Behavioral task
behavioral1
Sample
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe
Resource
win10v2004-en-20220113
General
-
Target
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe
-
Size
58KB
-
MD5
249216117351b63e73bde41c89c05101
-
SHA1
54e8ab5175b2bdd0529822eff2ac6a462beda7f1
-
SHA256
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1
-
SHA512
692803862600601122027e7992da3627422e57acb174f50e51d8e260654d7e3ea222689cc134aa74842f0a0d411b3f93857bf479e79aa86055fece5536cb3b5c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1412 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4752 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe Token: SeShutdownPrivilege 1980 svchost.exe Token: SeCreatePagefilePrivilege 1980 svchost.exe Token: SeShutdownPrivilege 1980 svchost.exe Token: SeCreatePagefilePrivilege 1980 svchost.exe Token: SeShutdownPrivilege 1980 svchost.exe Token: SeCreatePagefilePrivilege 1980 svchost.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.execmd.exedescription pid process target process PID 4752 wrote to memory of 1412 4752 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe MediaCenter.exe PID 4752 wrote to memory of 1412 4752 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe MediaCenter.exe PID 4752 wrote to memory of 1412 4752 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe MediaCenter.exe PID 4752 wrote to memory of 536 4752 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe cmd.exe PID 4752 wrote to memory of 536 4752 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe cmd.exe PID 4752 wrote to memory of 536 4752 11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe cmd.exe PID 536 wrote to memory of 5080 536 cmd.exe PING.EXE PID 536 wrote to memory of 5080 536 cmd.exe PING.EXE PID 536 wrote to memory of 5080 536 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe"C:\Users\Admin\AppData\Local\Temp\11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11bb52abc50c1d1efcff914b44955b15cefdd17319df187aa0e5125b3b2fe7f1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8e69a71105dad5d36191cfdaeedc88d8
SHA16447187fea416821c43643e536f45464641be00d
SHA256751658b4fdbace6d610261e77f232940de47f1f138318eae7b25845cdadc9817
SHA512e2ae92c2f721a002f5ef3ac526c7d7d59a8b6c72039d15b28f683eb90b76d2d3e06eafdbc8889f70b6eaf54991dae2804b97a9cdc867536fd28e619d0201bd52
-
MD5
8e69a71105dad5d36191cfdaeedc88d8
SHA16447187fea416821c43643e536f45464641be00d
SHA256751658b4fdbace6d610261e77f232940de47f1f138318eae7b25845cdadc9817
SHA512e2ae92c2f721a002f5ef3ac526c7d7d59a8b6c72039d15b28f683eb90b76d2d3e06eafdbc8889f70b6eaf54991dae2804b97a9cdc867536fd28e619d0201bd52