Analysis
-
max time kernel
161s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:14
Static task
static1
Behavioral task
behavioral1
Sample
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe
Resource
win10v2004-en-20220113
General
-
Target
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe
-
Size
36KB
-
MD5
5ba8b640d31085d6b4f327b6cf01f412
-
SHA1
f5a515abc4f3e804d8288b88df40a62d0549e9f1
-
SHA256
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572
-
SHA512
ae12cb2eecf540ce40f839ec7fed1ee9bbb29ba232fe4900762fa8fb83ed6cc89306fe28a29074a028a8ddcc708a56b5bf188d4ca18ab4b21677da76303fb88b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4532 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3756 svchost.exe Token: SeCreatePagefilePrivilege 3756 svchost.exe Token: SeShutdownPrivilege 3756 svchost.exe Token: SeCreatePagefilePrivilege 3756 svchost.exe Token: SeShutdownPrivilege 3756 svchost.exe Token: SeCreatePagefilePrivilege 3756 svchost.exe Token: SeIncBasePriorityPrivilege 4528 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.execmd.exedescription pid process target process PID 4528 wrote to memory of 4532 4528 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe MediaCenter.exe PID 4528 wrote to memory of 4532 4528 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe MediaCenter.exe PID 4528 wrote to memory of 4532 4528 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe MediaCenter.exe PID 4528 wrote to memory of 1700 4528 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe cmd.exe PID 4528 wrote to memory of 1700 4528 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe cmd.exe PID 4528 wrote to memory of 1700 4528 1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe cmd.exe PID 1700 wrote to memory of 2380 1700 cmd.exe PING.EXE PID 1700 wrote to memory of 2380 1700 cmd.exe PING.EXE PID 1700 wrote to memory of 2380 1700 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe"C:\Users\Admin\AppData\Local\Temp\1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
01cd8e776cb30e55784cce7f0e044af1
SHA1e40e6b4fafcfbe23e0036d22302f2781d5c0c118
SHA256d8844f5e9f6b40f1171aff29e59eca88a57343aebc7cff8b9cb78a0e4b127727
SHA5120df1ee92ef81e80a249b88b22955aa4c1e5a0820d56c66eccd4ee07bcd4db85930904d6f3a080ca9583f80807ec1c639f0ec91a4bf41a15b63238c8d39918c0b
-
MD5
01cd8e776cb30e55784cce7f0e044af1
SHA1e40e6b4fafcfbe23e0036d22302f2781d5c0c118
SHA256d8844f5e9f6b40f1171aff29e59eca88a57343aebc7cff8b9cb78a0e4b127727
SHA5120df1ee92ef81e80a249b88b22955aa4c1e5a0820d56c66eccd4ee07bcd4db85930904d6f3a080ca9583f80807ec1c639f0ec91a4bf41a15b63238c8d39918c0b