Analysis
-
max time kernel
134s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:30
Static task
static1
Behavioral task
behavioral1
Sample
09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe
Resource
win10v2004-en-20220113
General
-
Target
09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe
-
Size
58KB
-
MD5
40b644eb95059971511e26a082c953c1
-
SHA1
dc00c3c86453f0450ce9abc0600210e20c78183b
-
SHA256
09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55
-
SHA512
972372f7380282e2e63feec610cc8e0007856bb4daf52ee342b42d9d3f59f307d015448c3851fea3bdd6227cf8b67ec5def78f0647b3c41d11ba25ab0a6e3bc4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4568 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3020 svchost.exe Token: SeCreatePagefilePrivilege 3020 svchost.exe Token: SeShutdownPrivilege 3020 svchost.exe Token: SeCreatePagefilePrivilege 3020 svchost.exe Token: SeShutdownPrivilege 3020 svchost.exe Token: SeCreatePagefilePrivilege 3020 svchost.exe Token: SeIncBasePriorityPrivilege 1936 09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe Token: SeBackupPrivilege 3984 TiWorker.exe Token: SeRestorePrivilege 3984 TiWorker.exe Token: SeSecurityPrivilege 3984 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.execmd.exedescription pid process target process PID 1936 wrote to memory of 4568 1936 09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe MediaCenter.exe PID 1936 wrote to memory of 4568 1936 09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe MediaCenter.exe PID 1936 wrote to memory of 4568 1936 09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe MediaCenter.exe PID 1936 wrote to memory of 1720 1936 09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe cmd.exe PID 1936 wrote to memory of 1720 1936 09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe cmd.exe PID 1936 wrote to memory of 1720 1936 09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe cmd.exe PID 1720 wrote to memory of 3240 1720 cmd.exe PING.EXE PID 1720 wrote to memory of 3240 1720 cmd.exe PING.EXE PID 1720 wrote to memory of 3240 1720 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe"C:\Users\Admin\AppData\Local\Temp\09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09da00477a57bf58069957ef688cbcdc9863e3020f49acf957656b05f8c90f55.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
aea1a699506b78c70b1b6fa48e26bc45
SHA10bbaa0f050956015aacf493b65be873d52f199d4
SHA256ee2d2390ea4417e2fbfa419393821dc1b2fe18efe8105ed0139e25db98a3e819
SHA512a08ede162d11ae1c46c825c579f2c0be8f77c7fc255d315bb47f321bd5b354da0199f5d88db6c9f2fcc13d1b512c865442fdac80a82b18b9d0ff2ab589f7f8da
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
aea1a699506b78c70b1b6fa48e26bc45
SHA10bbaa0f050956015aacf493b65be873d52f199d4
SHA256ee2d2390ea4417e2fbfa419393821dc1b2fe18efe8105ed0139e25db98a3e819
SHA512a08ede162d11ae1c46c825c579f2c0be8f77c7fc255d315bb47f321bd5b354da0199f5d88db6c9f2fcc13d1b512c865442fdac80a82b18b9d0ff2ab589f7f8da
-
memory/3020-132-0x0000027A07B20000-0x0000027A07B30000-memory.dmpFilesize
64KB
-
memory/3020-133-0x0000027A07B80000-0x0000027A07B90000-memory.dmpFilesize
64KB
-
memory/3020-134-0x0000027A0A260000-0x0000027A0A264000-memory.dmpFilesize
16KB