Analysis
-
max time kernel
151s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:58
Static task
static1
Behavioral task
behavioral1
Sample
059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe
Resource
win10v2004-en-20220113
General
-
Target
059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe
-
Size
60KB
-
MD5
f38dbe528b7f42f43505c76c1839223d
-
SHA1
d453f96772128150422f7e7458e0b03e635ae04f
-
SHA256
059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880
-
SHA512
81707a8cd7364a36bff95f3f425fce7651cbb11cb50d80167a0c87e56694f57f88abee12897342c30ce2eb66f4856797372d2ee0bad79e6d37c731fc417cc9ad
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3812 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4284 059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe Token: SeShutdownPrivilege 2060 svchost.exe Token: SeCreatePagefilePrivilege 2060 svchost.exe Token: SeShutdownPrivilege 2060 svchost.exe Token: SeCreatePagefilePrivilege 2060 svchost.exe Token: SeShutdownPrivilege 2060 svchost.exe Token: SeCreatePagefilePrivilege 2060 svchost.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.execmd.exedescription pid process target process PID 4284 wrote to memory of 3812 4284 059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe MediaCenter.exe PID 4284 wrote to memory of 3812 4284 059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe MediaCenter.exe PID 4284 wrote to memory of 3812 4284 059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe MediaCenter.exe PID 4284 wrote to memory of 5048 4284 059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe cmd.exe PID 4284 wrote to memory of 5048 4284 059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe cmd.exe PID 4284 wrote to memory of 5048 4284 059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe cmd.exe PID 5048 wrote to memory of 4220 5048 cmd.exe PING.EXE PID 5048 wrote to memory of 4220 5048 cmd.exe PING.EXE PID 5048 wrote to memory of 4220 5048 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe"C:\Users\Admin\AppData\Local\Temp\059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\059ffaa5d6526c054c855074621008d206d6eff4c1cb52b016b049326d145880.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b51e6bbc8688d9bc4630326bedbeddbd
SHA14f95db8f5f6bc51e62da96bce7e2e754859b2ba2
SHA2569abf98a0f228636e341c7c34771e319652871f0d099f7d355d87df6649b91ff6
SHA512f572d9cadebfe9d6031e643dd02ce8169563cd3d65c6a25662403bb8acf8c2093eff79941d0c218bbcdfabb8724d26e3a9cb014418cf85b5d18b68e765cf4c15
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b51e6bbc8688d9bc4630326bedbeddbd
SHA14f95db8f5f6bc51e62da96bce7e2e754859b2ba2
SHA2569abf98a0f228636e341c7c34771e319652871f0d099f7d355d87df6649b91ff6
SHA512f572d9cadebfe9d6031e643dd02ce8169563cd3d65c6a25662403bb8acf8c2093eff79941d0c218bbcdfabb8724d26e3a9cb014418cf85b5d18b68e765cf4c15
-
memory/2060-132-0x0000015EDE5A0000-0x0000015EDE5B0000-memory.dmpFilesize
64KB
-
memory/2060-133-0x0000015EDED60000-0x0000015EDED70000-memory.dmpFilesize
64KB
-
memory/2060-134-0x0000015EE1980000-0x0000015EE1984000-memory.dmpFilesize
16KB