Analysis
-
max time kernel
151s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:35
Static task
static1
Behavioral task
behavioral1
Sample
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe
Resource
win10v2004-en-20220113
General
-
Target
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe
-
Size
36KB
-
MD5
b6ae72a417ca1b92ac782925836ac536
-
SHA1
1d8ec8567db01cc37d247a59f8d53c4107187600
-
SHA256
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb
-
SHA512
eaf52110cf3a8fe3d297c69e79e0e854371b1e6f0eeacff44fe7c6bbbb4989303a456d47a921857606a73353954fd4e901fcb3bd90dcbf96bd2d655e9636d72d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4840 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4772 svchost.exe Token: SeCreatePagefilePrivilege 4772 svchost.exe Token: SeShutdownPrivilege 4772 svchost.exe Token: SeCreatePagefilePrivilege 4772 svchost.exe Token: SeShutdownPrivilege 4772 svchost.exe Token: SeCreatePagefilePrivilege 4772 svchost.exe Token: SeIncBasePriorityPrivilege 4556 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe Token: SeBackupPrivilege 1084 TiWorker.exe Token: SeRestorePrivilege 1084 TiWorker.exe Token: SeSecurityPrivilege 1084 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.execmd.exedescription pid process target process PID 4556 wrote to memory of 4840 4556 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe MediaCenter.exe PID 4556 wrote to memory of 4840 4556 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe MediaCenter.exe PID 4556 wrote to memory of 4840 4556 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe MediaCenter.exe PID 4556 wrote to memory of 3784 4556 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe cmd.exe PID 4556 wrote to memory of 3784 4556 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe cmd.exe PID 4556 wrote to memory of 3784 4556 098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe cmd.exe PID 3784 wrote to memory of 3564 3784 cmd.exe PING.EXE PID 3784 wrote to memory of 3564 3784 cmd.exe PING.EXE PID 3784 wrote to memory of 3564 3784 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe"C:\Users\Admin\AppData\Local\Temp\098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\098df4be92b70a1ee053133da8ee6382567399ac0858a6aec2905027b6917fbb.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
75290fa344932126e738fba537a80b7f
SHA1861416b8fcabc8930d60759ba0b735a8fbdce853
SHA2564ec5752d03cd739b18b96484bfa912a7d0d785ceea7365afb6a7d9c1f77bba31
SHA512052ea07806f1c1e1578efee68403f3eff0792f64e4131e984484098c3408bb2f106971bd4f65f4980a83e986f9f8d26d545b7119fc403ec611496d0bf9c630e6
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
75290fa344932126e738fba537a80b7f
SHA1861416b8fcabc8930d60759ba0b735a8fbdce853
SHA2564ec5752d03cd739b18b96484bfa912a7d0d785ceea7365afb6a7d9c1f77bba31
SHA512052ea07806f1c1e1578efee68403f3eff0792f64e4131e984484098c3408bb2f106971bd4f65f4980a83e986f9f8d26d545b7119fc403ec611496d0bf9c630e6
-
memory/4772-132-0x000001C923520000-0x000001C923530000-memory.dmpFilesize
64KB
-
memory/4772-133-0x000001C923580000-0x000001C923590000-memory.dmpFilesize
64KB
-
memory/4772-134-0x000001C925C30000-0x000001C925C34000-memory.dmpFilesize
16KB