Analysis
-
max time kernel
144s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:31
Static task
static1
Behavioral task
behavioral1
Sample
09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe
Resource
win10v2004-en-20220113
General
-
Target
09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe
-
Size
60KB
-
MD5
771b81fcff91082a4017d46839a295d6
-
SHA1
cb2e1943d63c7ed370128c893bbaf6af97ec4ea7
-
SHA256
09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d
-
SHA512
c9dbd9827221cb2639c15c9e4a3b36eeaf566bca0b060149fb10541bff4e9a8d9eef70cd7d0f288c3a56f4d4676c7d1e54da799ef1f3c999d25f748ba1c231bc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4604 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exedescription pid process Token: SeShutdownPrivilege 2428 svchost.exe Token: SeCreatePagefilePrivilege 2428 svchost.exe Token: SeShutdownPrivilege 2428 svchost.exe Token: SeCreatePagefilePrivilege 2428 svchost.exe Token: SeShutdownPrivilege 2428 svchost.exe Token: SeCreatePagefilePrivilege 2428 svchost.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeIncBasePriorityPrivilege 4528 09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.execmd.exedescription pid process target process PID 4528 wrote to memory of 4604 4528 09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe MediaCenter.exe PID 4528 wrote to memory of 4604 4528 09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe MediaCenter.exe PID 4528 wrote to memory of 4604 4528 09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe MediaCenter.exe PID 4528 wrote to memory of 3168 4528 09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe cmd.exe PID 4528 wrote to memory of 3168 4528 09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe cmd.exe PID 4528 wrote to memory of 3168 4528 09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe cmd.exe PID 3168 wrote to memory of 2116 3168 cmd.exe PING.EXE PID 3168 wrote to memory of 2116 3168 cmd.exe PING.EXE PID 3168 wrote to memory of 2116 3168 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe"C:\Users\Admin\AppData\Local\Temp\09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09cfd65c74314154afde6063dc326912b5f61db19bb4f5fa169f0c2fb7ae582d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4bf6aaccac7d9728bc2bcb09df473890
SHA18f0236fb2f068f899a6d84b447b76881bab16390
SHA256bb2b0655e19bfee923b512c68790fb05eff19791257917caeb73299d3ab178ff
SHA512133eeac91a56ac6ba8f65a4c08476d6a6210e8f3283175cbce4edacd531c86cc3f1bc51fff16457df51b514c43f5a37c68cc5e35f418cff94e876d10557b13c8
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4bf6aaccac7d9728bc2bcb09df473890
SHA18f0236fb2f068f899a6d84b447b76881bab16390
SHA256bb2b0655e19bfee923b512c68790fb05eff19791257917caeb73299d3ab178ff
SHA512133eeac91a56ac6ba8f65a4c08476d6a6210e8f3283175cbce4edacd531c86cc3f1bc51fff16457df51b514c43f5a37c68cc5e35f418cff94e876d10557b13c8
-
memory/2428-132-0x0000019EBFD20000-0x0000019EBFD30000-memory.dmpFilesize
64KB
-
memory/2428-133-0x0000019EBFD80000-0x0000019EBFD90000-memory.dmpFilesize
64KB
-
memory/2428-134-0x0000019EC2450000-0x0000019EC2454000-memory.dmpFilesize
16KB