Analysis
-
max time kernel
152s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:05
Static task
static1
Behavioral task
behavioral1
Sample
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe
Resource
win10v2004-en-20220113
General
-
Target
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe
-
Size
58KB
-
MD5
5db5cb999f6a76f94e059a29e59fa461
-
SHA1
85dfb58a52777f885f5ea930407590e05034e56a
-
SHA256
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb
-
SHA512
1b99c887071767f3395b8651ca88b9eea7c3fde1fb0999c58144d1793476ac50dacfda8cf0e6ea62be523698532886e7298055d624ebc143c50ff9a5b90d846a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1272 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1532 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe Token: SeShutdownPrivilege 3124 svchost.exe Token: SeCreatePagefilePrivilege 3124 svchost.exe Token: SeShutdownPrivilege 3124 svchost.exe Token: SeCreatePagefilePrivilege 3124 svchost.exe Token: SeShutdownPrivilege 3124 svchost.exe Token: SeCreatePagefilePrivilege 3124 svchost.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.execmd.exedescription pid process target process PID 1532 wrote to memory of 1272 1532 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe MediaCenter.exe PID 1532 wrote to memory of 1272 1532 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe MediaCenter.exe PID 1532 wrote to memory of 1272 1532 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe MediaCenter.exe PID 1532 wrote to memory of 2300 1532 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe cmd.exe PID 1532 wrote to memory of 2300 1532 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe cmd.exe PID 1532 wrote to memory of 2300 1532 10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe cmd.exe PID 2300 wrote to memory of 3512 2300 cmd.exe PING.EXE PID 2300 wrote to memory of 3512 2300 cmd.exe PING.EXE PID 2300 wrote to memory of 3512 2300 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe"C:\Users\Admin\AppData\Local\Temp\10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10e67fe9f9b73f1b6ea9ea7e5f8578fb7bfa4cb700a54aef089422ea9f2b35fb.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
67b9668028572213edbe95f0af09e70b
SHA1e0b3a7bc16a08e6dd904f53d91173e1894d48f95
SHA256d41ad41f8d46f86ac16446ede874cae8a4ddc771c715d7ccf121e23a3111e493
SHA5125b7561f26421e30ed85f3397b1e724adbc16c27d66f2ec862288bda93960737dfc5662e0118c7c3f5746c2294a25091347b6117fc4f1c7ade366a4c59c30461b
-
MD5
67b9668028572213edbe95f0af09e70b
SHA1e0b3a7bc16a08e6dd904f53d91173e1894d48f95
SHA256d41ad41f8d46f86ac16446ede874cae8a4ddc771c715d7ccf121e23a3111e493
SHA5125b7561f26421e30ed85f3397b1e724adbc16c27d66f2ec862288bda93960737dfc5662e0118c7c3f5746c2294a25091347b6117fc4f1c7ade366a4c59c30461b