Analysis
-
max time kernel
138s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:05
Static task
static1
Behavioral task
behavioral1
Sample
08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe
Resource
win10v2004-en-20220113
General
-
Target
08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe
-
Size
58KB
-
MD5
790f0e00c58bcf37ded5f23272afaf45
-
SHA1
1caf61c33b16dc25e674936d299b3b3268374e1b
-
SHA256
08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83
-
SHA512
632a168f26a3786ea16525129fb195922a0b3ace1b0d5e621cc551b50bb3275e85d5aaf2e90ffd1ad4c1b258041fdba79e8d2914497bc3bd392b2bb9c457c312
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1700 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1956 svchost.exe Token: SeCreatePagefilePrivilege 1956 svchost.exe Token: SeShutdownPrivilege 1956 svchost.exe Token: SeCreatePagefilePrivilege 1956 svchost.exe Token: SeShutdownPrivilege 1956 svchost.exe Token: SeCreatePagefilePrivilege 1956 svchost.exe Token: SeIncBasePriorityPrivilege 3972 08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.execmd.exedescription pid process target process PID 3972 wrote to memory of 1700 3972 08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe MediaCenter.exe PID 3972 wrote to memory of 1700 3972 08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe MediaCenter.exe PID 3972 wrote to memory of 1700 3972 08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe MediaCenter.exe PID 3972 wrote to memory of 3556 3972 08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe cmd.exe PID 3972 wrote to memory of 3556 3972 08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe cmd.exe PID 3972 wrote to memory of 3556 3972 08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe cmd.exe PID 3556 wrote to memory of 3280 3556 cmd.exe PING.EXE PID 3556 wrote to memory of 3280 3556 cmd.exe PING.EXE PID 3556 wrote to memory of 3280 3556 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe"C:\Users\Admin\AppData\Local\Temp\08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08286e36c8e385050876530e24e114e674d9816891e201febdbb3f3d83f86d83.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ecb60200e1b23aa5bde8bb76a31e3d9b
SHA145b25e8a0d5602801611c00c6900346ff426541a
SHA25636ba75d3b614cfe0b2bc7069bd1c9db5949fb24d688ef511f96c21ee763cdd5d
SHA512667bbf0ba25f2df4ddeb86da99566d38a686b98330962919801f8ec8262306eab1fb880b3076997a124e04c00a04740c0df17276f42aeb14b66436172652bc7d
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ecb60200e1b23aa5bde8bb76a31e3d9b
SHA145b25e8a0d5602801611c00c6900346ff426541a
SHA25636ba75d3b614cfe0b2bc7069bd1c9db5949fb24d688ef511f96c21ee763cdd5d
SHA512667bbf0ba25f2df4ddeb86da99566d38a686b98330962919801f8ec8262306eab1fb880b3076997a124e04c00a04740c0df17276f42aeb14b66436172652bc7d
-
memory/1956-133-0x0000019CE6180000-0x0000019CE6190000-memory.dmpFilesize
64KB
-
memory/1956-132-0x0000019CE6120000-0x0000019CE6130000-memory.dmpFilesize
64KB
-
memory/1956-134-0x0000019CE8830000-0x0000019CE8834000-memory.dmpFilesize
16KB