Analysis
-
max time kernel
150s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:04
Static task
static1
Behavioral task
behavioral1
Sample
10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe
Resource
win10v2004-en-20220113
General
-
Target
10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe
-
Size
35KB
-
MD5
94720a47a9d4838011e89cdf6e8aab46
-
SHA1
79ad39961338bceef414bfb286056173c4529eb2
-
SHA256
10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711
-
SHA512
d3a765e90861cdb2dd54d67c1f9075748681298d271ef4bf8a3bdf3acb8b7d97f3b0a7ee6d3a7b18ae73380c89fc7d6f619a1d41b1a458e782f20c8fdcc4680f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3296 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 456 svchost.exe Token: SeCreatePagefilePrivilege 456 svchost.exe Token: SeShutdownPrivilege 456 svchost.exe Token: SeCreatePagefilePrivilege 456 svchost.exe Token: SeShutdownPrivilege 456 svchost.exe Token: SeCreatePagefilePrivilege 456 svchost.exe Token: SeIncBasePriorityPrivilege 3900 10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe Token: SeBackupPrivilege 3740 TiWorker.exe Token: SeRestorePrivilege 3740 TiWorker.exe Token: SeSecurityPrivilege 3740 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.execmd.exedescription pid process target process PID 3900 wrote to memory of 3296 3900 10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe MediaCenter.exe PID 3900 wrote to memory of 3296 3900 10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe MediaCenter.exe PID 3900 wrote to memory of 3296 3900 10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe MediaCenter.exe PID 3900 wrote to memory of 4404 3900 10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe cmd.exe PID 3900 wrote to memory of 4404 3900 10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe cmd.exe PID 3900 wrote to memory of 4404 3900 10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe cmd.exe PID 4404 wrote to memory of 1280 4404 cmd.exe PING.EXE PID 4404 wrote to memory of 1280 4404 cmd.exe PING.EXE PID 4404 wrote to memory of 1280 4404 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe"C:\Users\Admin\AppData\Local\Temp\10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10f2f7bccb5948dd335946816eb6ed3f20904b29fe8c21b257c1d896671ce711.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:456
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8fefa170c010452586d49b622e45eefe
SHA1cd4bc348bb34ce7e14880814931f97f89bed4fd4
SHA2562007ea14eb8695b7477e82f4745a1cb9620f6153bf6211f511f62950809b5bc5
SHA5125c4c8c41519f0c56dd0b692a472cf934e969de4d5eb4b0e6c2308e4a528014b56062fbe4f3861069ceff760f88a3e16b59d71bd79fa9765800868b5f096db0d7
-
MD5
8fefa170c010452586d49b622e45eefe
SHA1cd4bc348bb34ce7e14880814931f97f89bed4fd4
SHA2562007ea14eb8695b7477e82f4745a1cb9620f6153bf6211f511f62950809b5bc5
SHA5125c4c8c41519f0c56dd0b692a472cf934e969de4d5eb4b0e6c2308e4a528014b56062fbe4f3861069ceff760f88a3e16b59d71bd79fa9765800868b5f096db0d7