Analysis
-
max time kernel
156s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:30
Static task
static1
Behavioral task
behavioral1
Sample
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe
Resource
win10v2004-en-20220113
General
-
Target
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe
-
Size
58KB
-
MD5
3ba33244da4de771baca5d80dba84477
-
SHA1
9bedc1c8f3c2571a12973f9cbb26a8ef67abf305
-
SHA256
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2
-
SHA512
9ba00480e4d087a5934857a7dd4c1832e54a496159da8071a8f8011bbc3e8378853d689a51c2afba24193d01f4e0e376d6249391983c97fc9b0f55b158cf65b4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4624 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2396 svchost.exe Token: SeCreatePagefilePrivilege 2396 svchost.exe Token: SeShutdownPrivilege 2396 svchost.exe Token: SeCreatePagefilePrivilege 2396 svchost.exe Token: SeShutdownPrivilege 2396 svchost.exe Token: SeCreatePagefilePrivilege 2396 svchost.exe Token: SeIncBasePriorityPrivilege 4872 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe Token: SeBackupPrivilege 2304 TiWorker.exe Token: SeRestorePrivilege 2304 TiWorker.exe Token: SeSecurityPrivilege 2304 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.execmd.exedescription pid process target process PID 4872 wrote to memory of 4624 4872 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe MediaCenter.exe PID 4872 wrote to memory of 4624 4872 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe MediaCenter.exe PID 4872 wrote to memory of 4624 4872 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe MediaCenter.exe PID 4872 wrote to memory of 3572 4872 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe cmd.exe PID 4872 wrote to memory of 3572 4872 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe cmd.exe PID 4872 wrote to memory of 3572 4872 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe cmd.exe PID 3572 wrote to memory of 1080 3572 cmd.exe PING.EXE PID 3572 wrote to memory of 1080 3572 cmd.exe PING.EXE PID 3572 wrote to memory of 1080 3572 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe"C:\Users\Admin\AppData\Local\Temp\09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2304
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8c0d0cc11be765cf2f10ad74a008794a
SHA10965b9a49f6e18bc9bf22f0c8846b69aa698e1fa
SHA256a2db0ec8d394238a5af4deff3e916f790bc2b703b0fb29dbb6608b2a58b28483
SHA5120ba6f48198c1bd9684b9930b880ad7c8fb468450394ba856eb2aa6817d588a5c95325440fb16dfc39b6ab58aedd404d9c0882c80ba2e4abb44d6472a8e69f819
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8c0d0cc11be765cf2f10ad74a008794a
SHA10965b9a49f6e18bc9bf22f0c8846b69aa698e1fa
SHA256a2db0ec8d394238a5af4deff3e916f790bc2b703b0fb29dbb6608b2a58b28483
SHA5120ba6f48198c1bd9684b9930b880ad7c8fb468450394ba856eb2aa6817d588a5c95325440fb16dfc39b6ab58aedd404d9c0882c80ba2e4abb44d6472a8e69f819
-
memory/2396-135-0x0000019E2CB60000-0x0000019E2CB70000-memory.dmpFilesize
64KB
-
memory/2396-136-0x0000019E2D220000-0x0000019E2D230000-memory.dmpFilesize
64KB
-
memory/2396-137-0x0000019E2F8E0000-0x0000019E2F8E4000-memory.dmpFilesize
16KB