Analysis
-
max time kernel
153s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:16
Static task
static1
Behavioral task
behavioral1
Sample
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe
Resource
win10v2004-en-20220113
General
-
Target
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe
-
Size
35KB
-
MD5
3ea00914d2d50cb71f29a8e26c35fde9
-
SHA1
dc907c7aedab6ee77b1f307d244ad8f293801dbb
-
SHA256
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d
-
SHA512
7aee8083eb230e3fe10e81eca95601b55f9722dea6d379d30c9c93b445aa3dbb2e1677b0e939ee0fa66bde485d5006d6d1187867d0c96377d1702da477f1c97e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3428 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 432 svchost.exe Token: SeCreatePagefilePrivilege 432 svchost.exe Token: SeShutdownPrivilege 432 svchost.exe Token: SeCreatePagefilePrivilege 432 svchost.exe Token: SeShutdownPrivilege 432 svchost.exe Token: SeCreatePagefilePrivilege 432 svchost.exe Token: SeIncBasePriorityPrivilege 4976 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe Token: SeBackupPrivilege 4988 TiWorker.exe Token: SeRestorePrivilege 4988 TiWorker.exe Token: SeSecurityPrivilege 4988 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.execmd.exedescription pid process target process PID 4976 wrote to memory of 3428 4976 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe MediaCenter.exe PID 4976 wrote to memory of 3428 4976 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe MediaCenter.exe PID 4976 wrote to memory of 3428 4976 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe MediaCenter.exe PID 4976 wrote to memory of 4160 4976 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe cmd.exe PID 4976 wrote to memory of 4160 4976 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe cmd.exe PID 4976 wrote to memory of 4160 4976 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe cmd.exe PID 4160 wrote to memory of 4580 4160 cmd.exe PING.EXE PID 4160 wrote to memory of 4580 4160 cmd.exe PING.EXE PID 4160 wrote to memory of 4580 4160 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe"C:\Users\Admin\AppData\Local\Temp\07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:432
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f1661644dedca83645b1260e4668b974
SHA11cc8da7265be2f744735ec71d501a8cc8efd3ba7
SHA2568a3346793ca30c6dfbcc676305d7fc0011a34afafd170726987a7faf08c8a113
SHA5122e4d0cec81618734017737a8388ff07d264bbb781aabedeb87492b76185f4b929ef5446aac48e51e392439796f35b6036669ff0ba809bf3495d52470cf2032cb
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f1661644dedca83645b1260e4668b974
SHA11cc8da7265be2f744735ec71d501a8cc8efd3ba7
SHA2568a3346793ca30c6dfbcc676305d7fc0011a34afafd170726987a7faf08c8a113
SHA5122e4d0cec81618734017737a8388ff07d264bbb781aabedeb87492b76185f4b929ef5446aac48e51e392439796f35b6036669ff0ba809bf3495d52470cf2032cb
-
memory/432-132-0x000001F7C05A0000-0x000001F7C05B0000-memory.dmpFilesize
64KB
-
memory/432-133-0x000001F7C0B20000-0x000001F7C0B30000-memory.dmpFilesize
64KB
-
memory/432-134-0x000001F7C3220000-0x000001F7C3224000-memory.dmpFilesize
16KB