Analysis
-
max time kernel
143s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:35
Static task
static1
Behavioral task
behavioral1
Sample
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe
Resource
win10v2004-en-20220113
General
-
Target
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe
-
Size
58KB
-
MD5
99b6601fa0cd928585de45afc7b8556c
-
SHA1
27b783dc1296c9625796a85654e44132d2b661ec
-
SHA256
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6
-
SHA512
7ccaac4c13e0af0864d59de225e062cab768042a82a39a1f3ef40e8498e0ef4ccd67077d7aadf6cc39c2ec5c82dae285dfdc5cbc98cec4530aaeae22f550e9f0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3292 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4620 svchost.exe Token: SeCreatePagefilePrivilege 4620 svchost.exe Token: SeShutdownPrivilege 4620 svchost.exe Token: SeCreatePagefilePrivilege 4620 svchost.exe Token: SeShutdownPrivilege 4620 svchost.exe Token: SeCreatePagefilePrivilege 4620 svchost.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe Token: SeRestorePrivilege 484 TiWorker.exe Token: SeSecurityPrivilege 484 TiWorker.exe Token: SeBackupPrivilege 484 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.execmd.exedescription pid process target process PID 2780 wrote to memory of 3292 2780 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe MediaCenter.exe PID 2780 wrote to memory of 3292 2780 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe MediaCenter.exe PID 2780 wrote to memory of 3292 2780 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe MediaCenter.exe PID 2780 wrote to memory of 2244 2780 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe cmd.exe PID 2780 wrote to memory of 2244 2780 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe cmd.exe PID 2780 wrote to memory of 2244 2780 09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe cmd.exe PID 2244 wrote to memory of 944 2244 cmd.exe PING.EXE PID 2244 wrote to memory of 944 2244 cmd.exe PING.EXE PID 2244 wrote to memory of 944 2244 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe"C:\Users\Admin\AppData\Local\Temp\09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09939cbae4053fe47c3dc741322c797be1403b8b07b456e2ef768193c7173dc6.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
eb0da20f6c4bbf0ddbcf167a0b07f1d1
SHA1b5630edb858f6d74d66dd4343286685b250ed185
SHA25657a492dda1693b1a21424d968145f137769fdb4973ac5a08b9c83802d0560c99
SHA51230b379c6462cca1a43bbd5be5b93ed3b46a1982b01eba83ce809f1e3d624aa1d31649eba1c09c393cae0e2958933de4707eff92122db7c839a1b3fcdaf7344c1
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
eb0da20f6c4bbf0ddbcf167a0b07f1d1
SHA1b5630edb858f6d74d66dd4343286685b250ed185
SHA25657a492dda1693b1a21424d968145f137769fdb4973ac5a08b9c83802d0560c99
SHA51230b379c6462cca1a43bbd5be5b93ed3b46a1982b01eba83ce809f1e3d624aa1d31649eba1c09c393cae0e2958933de4707eff92122db7c839a1b3fcdaf7344c1
-
memory/4620-132-0x0000016CE9B60000-0x0000016CE9B70000-memory.dmpFilesize
64KB
-
memory/4620-133-0x0000016CEA120000-0x0000016CEA130000-memory.dmpFilesize
64KB
-
memory/4620-134-0x0000016CEC7A0000-0x0000016CEC7A4000-memory.dmpFilesize
16KB