Analysis
-
max time kernel
126s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:38
Static task
static1
Behavioral task
behavioral1
Sample
0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exe
Resource
win10v2004-en-20220113
General
-
Target
0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exe
-
Size
36KB
-
MD5
fb349ac774c0ef5d119118422e65f484
-
SHA1
d872179fb699f04183f5dc548d3546cfd761a882
-
SHA256
0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe
-
SHA512
c3056ea5acc294a8533cc6c56d53cf3d4028d795231a25e93d63ceda1992d1c64ae01095c3d4fa3feabc643ebd89df053ad6e5c41bf41ef4d5febdae45712b35
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3652 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 364 svchost.exe Token: SeCreatePagefilePrivilege 364 svchost.exe Token: SeShutdownPrivilege 364 svchost.exe Token: SeCreatePagefilePrivilege 364 svchost.exe Token: SeShutdownPrivilege 364 svchost.exe Token: SeCreatePagefilePrivilege 364 svchost.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.execmd.exedescription pid process target process PID 3288 wrote to memory of 3652 3288 0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exe MediaCenter.exe PID 3288 wrote to memory of 3652 3288 0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exe MediaCenter.exe PID 3288 wrote to memory of 3652 3288 0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exe MediaCenter.exe PID 3288 wrote to memory of 4092 3288 0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exe cmd.exe PID 3288 wrote to memory of 4092 3288 0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exe cmd.exe PID 3288 wrote to memory of 4092 3288 0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exe cmd.exe PID 4092 wrote to memory of 4264 4092 cmd.exe PING.EXE PID 4092 wrote to memory of 4264 4092 cmd.exe PING.EXE PID 4092 wrote to memory of 4264 4092 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exe"C:\Users\Admin\AppData\Local\Temp\0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0975599f7eb7eba5ad5a87d969ae07bfd666568d104bb2535b19430108a32afe.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:364
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:852
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
61efa13263e7e57a4ee234b1bd70a24a
SHA1664c6fb97fdb541a6d302055683d1172e4740c5a
SHA2566da1898945d18b039d4504fd84dc260e888b99c3feca65169e4d91bfe73d240c
SHA512e8162dfb6e41a0bb67a43162dab35e65ac941ccab7b2128b7a40e11d7a56149549b2be320102444fafa61cd800862befe303f72b8b07482a8ee5cabfe9b88782
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
61efa13263e7e57a4ee234b1bd70a24a
SHA1664c6fb97fdb541a6d302055683d1172e4740c5a
SHA2566da1898945d18b039d4504fd84dc260e888b99c3feca65169e4d91bfe73d240c
SHA512e8162dfb6e41a0bb67a43162dab35e65ac941ccab7b2128b7a40e11d7a56149549b2be320102444fafa61cd800862befe303f72b8b07482a8ee5cabfe9b88782
-
memory/364-132-0x0000017FC8D70000-0x0000017FC8D80000-memory.dmpFilesize
64KB
-
memory/364-133-0x0000017FC9420000-0x0000017FC9430000-memory.dmpFilesize
64KB
-
memory/364-134-0x0000017FCBAF0000-0x0000017FCBAF4000-memory.dmpFilesize
16KB