Analysis
-
max time kernel
135s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:01
Static task
static1
Behavioral task
behavioral1
Sample
1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe
Resource
win10v2004-en-20220113
General
-
Target
1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe
-
Size
60KB
-
MD5
dac04e5271a4739eeb30669a529b392c
-
SHA1
985386b255688065a8618c75b987a7d059ca3c99
-
SHA256
1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630
-
SHA512
a065e089301f9ca5ed5d643a701257182275d9930105b929244a06780a9844cd985f9d3b85a68e556e337edc6213b550f6b602107bba073141a522722aa96daf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2228 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3212 1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe Token: SeShutdownPrivilege 2432 svchost.exe Token: SeCreatePagefilePrivilege 2432 svchost.exe Token: SeShutdownPrivilege 2432 svchost.exe Token: SeCreatePagefilePrivilege 2432 svchost.exe Token: SeShutdownPrivilege 2432 svchost.exe Token: SeCreatePagefilePrivilege 2432 svchost.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe Token: SeBackupPrivilege 828 TiWorker.exe Token: SeRestorePrivilege 828 TiWorker.exe Token: SeSecurityPrivilege 828 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.execmd.exedescription pid process target process PID 3212 wrote to memory of 2228 3212 1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe MediaCenter.exe PID 3212 wrote to memory of 2228 3212 1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe MediaCenter.exe PID 3212 wrote to memory of 2228 3212 1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe MediaCenter.exe PID 3212 wrote to memory of 3736 3212 1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe cmd.exe PID 3212 wrote to memory of 3736 3212 1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe cmd.exe PID 3212 wrote to memory of 3736 3212 1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe cmd.exe PID 3736 wrote to memory of 2220 3736 cmd.exe PING.EXE PID 3736 wrote to memory of 2220 3736 cmd.exe PING.EXE PID 3736 wrote to memory of 2220 3736 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe"C:\Users\Admin\AppData\Local\Temp\1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1116b62b037f87d2d659b5e8fafe319ca42ea32d257d63a3fbe10e27e5fd4630.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2ad1ebff9f6e345db693233469bc38a3
SHA1f530c750bd484161dda5c1c3169d6a85ebc69c35
SHA2560d8ecc509f52ebfb5f7e5d4c6bf5a49a30c856355684b341a781db32b7fe6c94
SHA512e729f200272061c67996465c215d7d93537e84731345452b26d7837a5eeadca877244270146654c4774059a8b996e424298b934a09a4d74a5419db9911adf63c
-
MD5
2ad1ebff9f6e345db693233469bc38a3
SHA1f530c750bd484161dda5c1c3169d6a85ebc69c35
SHA2560d8ecc509f52ebfb5f7e5d4c6bf5a49a30c856355684b341a781db32b7fe6c94
SHA512e729f200272061c67996465c215d7d93537e84731345452b26d7837a5eeadca877244270146654c4774059a8b996e424298b934a09a4d74a5419db9911adf63c