Analysis
-
max time kernel
132s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:39
Static task
static1
Behavioral task
behavioral1
Sample
09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe
Resource
win10v2004-en-20220113
General
-
Target
09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe
-
Size
36KB
-
MD5
2e8271383f5a43c42080ffb251ad38e0
-
SHA1
4340d2f4e65b55729441ca02cb56643e813ca6e3
-
SHA256
09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d
-
SHA512
44dc70f0b811c268d0cb2b41b58628d99b92156083d0165bdefde06b7df6c2e58a3fd7c36d110a70916fec7309abb19cd497aefa600c7ca3307949be4fd5b815
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3420 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exedescription pid process Token: SeShutdownPrivilege 4584 svchost.exe Token: SeCreatePagefilePrivilege 4584 svchost.exe Token: SeShutdownPrivilege 4584 svchost.exe Token: SeCreatePagefilePrivilege 4584 svchost.exe Token: SeShutdownPrivilege 4584 svchost.exe Token: SeCreatePagefilePrivilege 4584 svchost.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeIncBasePriorityPrivilege 3352 09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe Token: SeBackupPrivilege 2732 TiWorker.exe Token: SeRestorePrivilege 2732 TiWorker.exe Token: SeSecurityPrivilege 2732 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.execmd.exedescription pid process target process PID 3352 wrote to memory of 3420 3352 09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe MediaCenter.exe PID 3352 wrote to memory of 3420 3352 09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe MediaCenter.exe PID 3352 wrote to memory of 3420 3352 09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe MediaCenter.exe PID 3352 wrote to memory of 1508 3352 09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe cmd.exe PID 3352 wrote to memory of 1508 3352 09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe cmd.exe PID 3352 wrote to memory of 1508 3352 09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe cmd.exe PID 1508 wrote to memory of 2288 1508 cmd.exe PING.EXE PID 1508 wrote to memory of 2288 1508 cmd.exe PING.EXE PID 1508 wrote to memory of 2288 1508 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe"C:\Users\Admin\AppData\Local\Temp\09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09699d08bf139db9d09d809c4d94b7198d0f1312b5f36e04ed58b155410ffb4d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2732
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
bbc833683dc3a88b82ff550e206227b2
SHA15b72528d73d6ff0b0185d8478a6e8447b31b68ab
SHA256c6c9d900ae9a1a426312001c511f0440f269d52c09f07afc685387dfbedc7827
SHA51294b45c5c736017f044795b90df8f403ba1b35f215dfa1942271d852e8d2bbe73438b072f78c843c748d150b0aa306f25d12bfba57873dc0d71ab0d3615b4677f
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
bbc833683dc3a88b82ff550e206227b2
SHA15b72528d73d6ff0b0185d8478a6e8447b31b68ab
SHA256c6c9d900ae9a1a426312001c511f0440f269d52c09f07afc685387dfbedc7827
SHA51294b45c5c736017f044795b90df8f403ba1b35f215dfa1942271d852e8d2bbe73438b072f78c843c748d150b0aa306f25d12bfba57873dc0d71ab0d3615b4677f
-
memory/4584-132-0x0000022A6B020000-0x0000022A6B030000-memory.dmpFilesize
64KB
-
memory/4584-133-0x0000022A6B080000-0x0000022A6B090000-memory.dmpFilesize
64KB
-
memory/4584-134-0x0000022A6D750000-0x0000022A6D754000-memory.dmpFilesize
16KB