Analysis
-
max time kernel
146s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:41
Static task
static1
Behavioral task
behavioral1
Sample
09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe
Resource
win10v2004-en-20220113
General
-
Target
09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe
-
Size
36KB
-
MD5
6271a030e42891c4aeb3736665496acd
-
SHA1
64d16adf8470f9820033d14c3b2005816a1795d0
-
SHA256
09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4
-
SHA512
7dbdba78a6962882c545b3fea1c34f6bd718c810f1af5e107ce378aa4b1d79b1ca37d8b4f453fc659cfabacd37a5abe6e9727b3f5413366fe1c955ec6aab62ee
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1304 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4444 svchost.exe Token: SeCreatePagefilePrivilege 4444 svchost.exe Token: SeShutdownPrivilege 4444 svchost.exe Token: SeCreatePagefilePrivilege 4444 svchost.exe Token: SeShutdownPrivilege 4444 svchost.exe Token: SeCreatePagefilePrivilege 4444 svchost.exe Token: SeIncBasePriorityPrivilege 676 09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.execmd.exedescription pid process target process PID 676 wrote to memory of 1304 676 09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe MediaCenter.exe PID 676 wrote to memory of 1304 676 09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe MediaCenter.exe PID 676 wrote to memory of 1304 676 09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe MediaCenter.exe PID 676 wrote to memory of 4028 676 09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe cmd.exe PID 676 wrote to memory of 4028 676 09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe cmd.exe PID 676 wrote to memory of 4028 676 09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe cmd.exe PID 4028 wrote to memory of 4584 4028 cmd.exe PING.EXE PID 4028 wrote to memory of 4584 4028 cmd.exe PING.EXE PID 4028 wrote to memory of 4584 4028 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe"C:\Users\Admin\AppData\Local\Temp\09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09454cb8d28cac0677272e6927bbe80624ab9e32e14bca131163d4321e9624a4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1b7e7971495ee2267976674a3b86e029
SHA10bb06ef56f0d7395c466adea7f5a8e9c42797afd
SHA256dc99e707146ad5be65df51a104fe61dc7e3b96146ed4030f7625cf5f7ea7f018
SHA5126d099ff42cc0e9f24b617e96dc77aeb3ddeaf6ba0c86772df1d47607e4ed97bf49e372d28e023b9fc4238019b762d2336f86c694b47341fb167a3c6c972190bd
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1b7e7971495ee2267976674a3b86e029
SHA10bb06ef56f0d7395c466adea7f5a8e9c42797afd
SHA256dc99e707146ad5be65df51a104fe61dc7e3b96146ed4030f7625cf5f7ea7f018
SHA5126d099ff42cc0e9f24b617e96dc77aeb3ddeaf6ba0c86772df1d47607e4ed97bf49e372d28e023b9fc4238019b762d2336f86c694b47341fb167a3c6c972190bd
-
memory/4444-132-0x000001FFC4F80000-0x000001FFC4F90000-memory.dmpFilesize
64KB
-
memory/4444-133-0x000001FFC5520000-0x000001FFC5530000-memory.dmpFilesize
64KB
-
memory/4444-134-0x000001FFC7C00000-0x000001FFC7C04000-memory.dmpFilesize
16KB