Analysis
-
max time kernel
158s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:55
Static task
static1
Behavioral task
behavioral1
Sample
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe
Resource
win10v2004-en-20220113
General
-
Target
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe
-
Size
60KB
-
MD5
62ec3ce06826523e5bf87ac579fba81b
-
SHA1
f9544c12764dce9dd6ac8f0ad8668739e45fddb9
-
SHA256
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff
-
SHA512
e866376c8efb92e62ae2ad8569f978eefbdb853c12d6b58328e904bfbe0bad412ceef432d1500d642ee0faf2f6a97de87d49b3f8e8055c50fa5870e60fd6f66f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1360 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4432 svchost.exe Token: SeCreatePagefilePrivilege 4432 svchost.exe Token: SeShutdownPrivilege 4432 svchost.exe Token: SeCreatePagefilePrivilege 4432 svchost.exe Token: SeShutdownPrivilege 4432 svchost.exe Token: SeCreatePagefilePrivilege 4432 svchost.exe Token: SeIncBasePriorityPrivilege 4848 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe Token: SeBackupPrivilege 3888 TiWorker.exe Token: SeRestorePrivilege 3888 TiWorker.exe Token: SeSecurityPrivilege 3888 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.execmd.exedescription pid process target process PID 4848 wrote to memory of 1360 4848 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe MediaCenter.exe PID 4848 wrote to memory of 1360 4848 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe MediaCenter.exe PID 4848 wrote to memory of 1360 4848 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe MediaCenter.exe PID 4848 wrote to memory of 3584 4848 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe cmd.exe PID 4848 wrote to memory of 3584 4848 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe cmd.exe PID 4848 wrote to memory of 3584 4848 05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe cmd.exe PID 3584 wrote to memory of 2128 3584 cmd.exe PING.EXE PID 3584 wrote to memory of 2128 3584 cmd.exe PING.EXE PID 3584 wrote to memory of 2128 3584 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe"C:\Users\Admin\AppData\Local\Temp\05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05cbdd9df3abcadd7be8ebd9c7c7de2602bfad0a31e0bd06ecf0be50c0d8a8ff.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3888
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
350ec1c0fd18bb3c4c1bb3c17e4808f9
SHA1abca951b6f2cd35f456a9eab2a3900c541e4a927
SHA25614fb197b8d9e26f2ef3f053f17528d2529d247d4f3356ebdd45131984cc2163f
SHA51290cc119f7572ccc458c0e7e0ab8b0227ec0384455e9f09b41b07db5caf04a9a2357803a7c22bbe3e9d9d65d7dc33f11ab4f27e9e32404407105237fe2bcec739
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
350ec1c0fd18bb3c4c1bb3c17e4808f9
SHA1abca951b6f2cd35f456a9eab2a3900c541e4a927
SHA25614fb197b8d9e26f2ef3f053f17528d2529d247d4f3356ebdd45131984cc2163f
SHA51290cc119f7572ccc458c0e7e0ab8b0227ec0384455e9f09b41b07db5caf04a9a2357803a7c22bbe3e9d9d65d7dc33f11ab4f27e9e32404407105237fe2bcec739
-
memory/4432-132-0x000001C424DA0000-0x000001C424DB0000-memory.dmpFilesize
64KB
-
memory/4432-133-0x000001C425420000-0x000001C425430000-memory.dmpFilesize
64KB
-
memory/4432-134-0x000001C427B20000-0x000001C427B24000-memory.dmpFilesize
16KB