Analysis
-
max time kernel
160s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:56
Static task
static1
Behavioral task
behavioral1
Sample
05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe
Resource
win10v2004-en-20220113
General
-
Target
05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe
-
Size
36KB
-
MD5
2f86368e0533fdd4a96ffce7acc04bc3
-
SHA1
1484d63e7ae36a8ffbb212a7c1846a0b0447f0a2
-
SHA256
05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800
-
SHA512
86c943d1c36ac29e6382d6bc7941ea497659370887135ab829f0b4dd342caec97bb3ed0beb112dae8356121aa37cc4368bff3613a1ae27a836f47a06138b6d50
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1648 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4904 svchost.exe Token: SeCreatePagefilePrivilege 4904 svchost.exe Token: SeShutdownPrivilege 4904 svchost.exe Token: SeCreatePagefilePrivilege 4904 svchost.exe Token: SeShutdownPrivilege 4904 svchost.exe Token: SeCreatePagefilePrivilege 4904 svchost.exe Token: SeIncBasePriorityPrivilege 1344 05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.execmd.exedescription pid process target process PID 1344 wrote to memory of 1648 1344 05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe MediaCenter.exe PID 1344 wrote to memory of 1648 1344 05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe MediaCenter.exe PID 1344 wrote to memory of 1648 1344 05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe MediaCenter.exe PID 1344 wrote to memory of 3908 1344 05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe cmd.exe PID 1344 wrote to memory of 3908 1344 05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe cmd.exe PID 1344 wrote to memory of 3908 1344 05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe cmd.exe PID 3908 wrote to memory of 112 3908 cmd.exe PING.EXE PID 3908 wrote to memory of 112 3908 cmd.exe PING.EXE PID 3908 wrote to memory of 112 3908 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe"C:\Users\Admin\AppData\Local\Temp\05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05bcd36dfd01c9b5161eb7e0dc27d05268164297abd77bebc39a097efc4e1800.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4516
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b68316cfd75933d223a9495289a1a2a4
SHA15ccf38fee991947e73145c929ae2c6c9a2df0fb1
SHA2568aaeb23230f7526ce308320d9ae63982992c609b830d0cba89a45e8de26a9400
SHA5121ff78b7a48ff51fd9a6f024340cecdb83fd2f5673e2746876aff82ba24b273c5c67e0adac408ae41dfc47364e1e951774c329985ddc7d3f8052f55231aa0f4e7
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b68316cfd75933d223a9495289a1a2a4
SHA15ccf38fee991947e73145c929ae2c6c9a2df0fb1
SHA2568aaeb23230f7526ce308320d9ae63982992c609b830d0cba89a45e8de26a9400
SHA5121ff78b7a48ff51fd9a6f024340cecdb83fd2f5673e2746876aff82ba24b273c5c67e0adac408ae41dfc47364e1e951774c329985ddc7d3f8052f55231aa0f4e7
-
memory/4904-133-0x0000021C3F780000-0x0000021C3F790000-memory.dmpFilesize
64KB
-
memory/4904-132-0x0000021C3F720000-0x0000021C3F730000-memory.dmpFilesize
64KB
-
memory/4904-134-0x0000021C41E30000-0x0000021C41E34000-memory.dmpFilesize
16KB