Analysis
-
max time kernel
144s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:38
Static task
static1
Behavioral task
behavioral1
Sample
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe
Resource
win10v2004-en-20220113
General
-
Target
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe
-
Size
60KB
-
MD5
78fddc5dd46a5b4b4e3f7a129cb00b11
-
SHA1
f540a2c7d689532991222ddc2018e70853dd8fc1
-
SHA256
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88
-
SHA512
0f46d028795b4cb4bdd4e9ed1c38f662af0d860652922a91510ea0ce3db7506f7c77bf8847780037268e2916ec8188532bf80ab8454fb5a04dfc140c338143b6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1516 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4648 svchost.exe Token: SeCreatePagefilePrivilege 4648 svchost.exe Token: SeShutdownPrivilege 4648 svchost.exe Token: SeCreatePagefilePrivilege 4648 svchost.exe Token: SeShutdownPrivilege 4648 svchost.exe Token: SeCreatePagefilePrivilege 4648 svchost.exe Token: SeIncBasePriorityPrivilege 1600 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe Token: SeBackupPrivilege 2456 TiWorker.exe Token: SeRestorePrivilege 2456 TiWorker.exe Token: SeSecurityPrivilege 2456 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.execmd.exedescription pid process target process PID 1600 wrote to memory of 1516 1600 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe MediaCenter.exe PID 1600 wrote to memory of 1516 1600 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe MediaCenter.exe PID 1600 wrote to memory of 1516 1600 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe MediaCenter.exe PID 1600 wrote to memory of 1628 1600 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe cmd.exe PID 1600 wrote to memory of 1628 1600 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe cmd.exe PID 1600 wrote to memory of 1628 1600 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe cmd.exe PID 1628 wrote to memory of 1996 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 1996 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 1996 1628 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe"C:\Users\Admin\AppData\Local\Temp\09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2456
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4170651edfad4c22a184c328e5190536
SHA1a36cebfbf4071177d40a67525c0757d11d3f5e37
SHA25659265f2e7b1eeff5571bf051fdcad4b26b46f55dbe8862aa33adf6db14360af0
SHA5125cd66aea032d098e1547c19e97558d11279fd379f59edc02386a7058da3bcc48e47b48fc55fc89361b3187cd908ed4c536f9bb1f3880214407a67709d4cd44f0
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4170651edfad4c22a184c328e5190536
SHA1a36cebfbf4071177d40a67525c0757d11d3f5e37
SHA25659265f2e7b1eeff5571bf051fdcad4b26b46f55dbe8862aa33adf6db14360af0
SHA5125cd66aea032d098e1547c19e97558d11279fd379f59edc02386a7058da3bcc48e47b48fc55fc89361b3187cd908ed4c536f9bb1f3880214407a67709d4cd44f0
-
memory/4648-132-0x000001F67E7A0000-0x000001F67E7B0000-memory.dmpFilesize
64KB
-
memory/4648-133-0x000001F67EF60000-0x000001F67EF70000-memory.dmpFilesize
64KB
-
memory/4648-134-0x000001F67FB80000-0x000001F67FB84000-memory.dmpFilesize
16KB