Analysis
-
max time kernel
150s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:03
Static task
static1
Behavioral task
behavioral1
Sample
0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe
Resource
win10v2004-en-20220113
General
-
Target
0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe
-
Size
36KB
-
MD5
b6da63c40cdd4f638c1e851fd969adbf
-
SHA1
6feb6270da9f9f47ed15d67035086b6db0eac7d7
-
SHA256
0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d
-
SHA512
9a55faedffb698e24bd4ba08ae81ae5573371dbd17c7b46f65709671b675939d5657aae19ca558a1092872426223875067ad9069ffffa6ebca77ee42d84f3409
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 5000 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3532 svchost.exe Token: SeCreatePagefilePrivilege 3532 svchost.exe Token: SeShutdownPrivilege 3532 svchost.exe Token: SeCreatePagefilePrivilege 3532 svchost.exe Token: SeShutdownPrivilege 3532 svchost.exe Token: SeCreatePagefilePrivilege 3532 svchost.exe Token: SeIncBasePriorityPrivilege 4952 0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.execmd.exedescription pid process target process PID 4952 wrote to memory of 5000 4952 0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe MediaCenter.exe PID 4952 wrote to memory of 5000 4952 0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe MediaCenter.exe PID 4952 wrote to memory of 5000 4952 0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe MediaCenter.exe PID 4952 wrote to memory of 1628 4952 0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe cmd.exe PID 4952 wrote to memory of 1628 4952 0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe cmd.exe PID 4952 wrote to memory of 1628 4952 0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe cmd.exe PID 1628 wrote to memory of 2820 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 2820 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 2820 1628 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe"C:\Users\Admin\AppData\Local\Temp\0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0842bded9edf9c5df77d5e39859450fcfb668b10ad75ac7c07ef26ef5700707d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2820
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
47602d2ae23317972c25019d56ca8c6e
SHA1dbc55a43e847f646d46194619e33cca8b98e0445
SHA2564eae04dacabf0158f5a3fdfdfab203f64a48d39f03d97271622dc0db4069f9ca
SHA512ae523691528bc7b41a36a4ef79373f3fc03ac716256843a9eb2101aaea27d4867ae8e31e87a50a4691e76a17ccf7f1f4e7228a09d1dc300ff5a7b4b360e6b040
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
47602d2ae23317972c25019d56ca8c6e
SHA1dbc55a43e847f646d46194619e33cca8b98e0445
SHA2564eae04dacabf0158f5a3fdfdfab203f64a48d39f03d97271622dc0db4069f9ca
SHA512ae523691528bc7b41a36a4ef79373f3fc03ac716256843a9eb2101aaea27d4867ae8e31e87a50a4691e76a17ccf7f1f4e7228a09d1dc300ff5a7b4b360e6b040
-
memory/3532-132-0x00000267A4560000-0x00000267A4570000-memory.dmpFilesize
64KB
-
memory/3532-133-0x00000267A4B20000-0x00000267A4B30000-memory.dmpFilesize
64KB
-
memory/3532-134-0x00000267A71C0000-0x00000267A71C4000-memory.dmpFilesize
16KB