Analysis
-
max time kernel
133s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:32
Static task
static1
Behavioral task
behavioral1
Sample
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe
Resource
win10v2004-en-20220113
General
-
Target
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe
-
Size
60KB
-
MD5
b1c10b0fef721b061f93fb1a4c376c23
-
SHA1
e2c6d869e34b5ac03156f721a2ac41758d7bbe0f
-
SHA256
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2
-
SHA512
73911ee241d2897e9064693f941844dd90ea365800245fc3ff608366450f0d0b249cf3e734ace0a9091277840c75b165b5327e02a4c687fa852f0a201ddc243b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2252 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1324 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe Token: SeShutdownPrivilege 2204 svchost.exe Token: SeCreatePagefilePrivilege 2204 svchost.exe Token: SeShutdownPrivilege 2204 svchost.exe Token: SeCreatePagefilePrivilege 2204 svchost.exe Token: SeShutdownPrivilege 2204 svchost.exe Token: SeCreatePagefilePrivilege 2204 svchost.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe Token: SeBackupPrivilege 212 TiWorker.exe Token: SeRestorePrivilege 212 TiWorker.exe Token: SeSecurityPrivilege 212 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.execmd.exedescription pid process target process PID 1324 wrote to memory of 2252 1324 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe MediaCenter.exe PID 1324 wrote to memory of 2252 1324 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe MediaCenter.exe PID 1324 wrote to memory of 2252 1324 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe MediaCenter.exe PID 1324 wrote to memory of 3808 1324 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe cmd.exe PID 1324 wrote to memory of 3808 1324 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe cmd.exe PID 1324 wrote to memory of 3808 1324 09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe cmd.exe PID 3808 wrote to memory of 2260 3808 cmd.exe PING.EXE PID 3808 wrote to memory of 2260 3808 cmd.exe PING.EXE PID 3808 wrote to memory of 2260 3808 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe"C:\Users\Admin\AppData\Local\Temp\09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09bad2e6b638ac6ea2140ad1146356ce257d84a96508ef8a21b42012e75b83c2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d0eb71c62cebd939c9e9d7017f924668
SHA1e3a64c7ddfa8b5329d9763d4cb2a41ba30d60a15
SHA256743eabd8f8a6b0616231cec2a4340de700698f31284235ffc5259130f377d787
SHA512de8ffabda3fa5e8124f2d7fa21788587eb9e728636775812750e34cf3cb585fbc636dd8e93fe84517207065e2c456c13c721fd8fee667ea3bb9a07afb210986b
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d0eb71c62cebd939c9e9d7017f924668
SHA1e3a64c7ddfa8b5329d9763d4cb2a41ba30d60a15
SHA256743eabd8f8a6b0616231cec2a4340de700698f31284235ffc5259130f377d787
SHA512de8ffabda3fa5e8124f2d7fa21788587eb9e728636775812750e34cf3cb585fbc636dd8e93fe84517207065e2c456c13c721fd8fee667ea3bb9a07afb210986b
-
memory/2204-132-0x000002694AB50000-0x000002694AB60000-memory.dmpFilesize
64KB
-
memory/2204-133-0x000002694B220000-0x000002694B230000-memory.dmpFilesize
64KB
-
memory/2204-134-0x000002694D8D0000-0x000002694D8D4000-memory.dmpFilesize
16KB