Analysis
-
max time kernel
140s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:23
Static task
static1
Behavioral task
behavioral1
Sample
075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe
Resource
win10v2004-en-20220113
General
-
Target
075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe
-
Size
58KB
-
MD5
72cafac074e38c5ede12be6a7f3d4f95
-
SHA1
12a0bca45e48c923b3ba62dab469ffad4f908f14
-
SHA256
075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1
-
SHA512
b09b909a00a7128e5a5db4c3cc0fd80f49d5c4449418324ea22154a26e4287940a98ab9b6fb13d1a4f5f2284b6779698cd438b5d879ec07b338ef75770833f28
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 544 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4456 075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe Token: SeShutdownPrivilege 2836 svchost.exe Token: SeCreatePagefilePrivilege 2836 svchost.exe Token: SeShutdownPrivilege 2836 svchost.exe Token: SeCreatePagefilePrivilege 2836 svchost.exe Token: SeShutdownPrivilege 2836 svchost.exe Token: SeCreatePagefilePrivilege 2836 svchost.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe Token: SeBackupPrivilege 4208 TiWorker.exe Token: SeRestorePrivilege 4208 TiWorker.exe Token: SeSecurityPrivilege 4208 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.execmd.exedescription pid process target process PID 4456 wrote to memory of 544 4456 075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe MediaCenter.exe PID 4456 wrote to memory of 544 4456 075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe MediaCenter.exe PID 4456 wrote to memory of 544 4456 075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe MediaCenter.exe PID 4456 wrote to memory of 4468 4456 075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe cmd.exe PID 4456 wrote to memory of 4468 4456 075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe cmd.exe PID 4456 wrote to memory of 4468 4456 075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe cmd.exe PID 4468 wrote to memory of 2068 4468 cmd.exe PING.EXE PID 4468 wrote to memory of 2068 4468 cmd.exe PING.EXE PID 4468 wrote to memory of 2068 4468 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe"C:\Users\Admin\AppData\Local\Temp\075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d0faf8461afb933a99c4fe2fbc33170d
SHA1b7763bb33be37d73026f6914dfc4d1a432fb8906
SHA256b2b892027006d121ab5c179cc7b2b8004efc05366d08c835a5bad3bd2e3c10e4
SHA512e6bf85fe575c5679555f98497a523849c6bee33e94395deef91eb3e415cc9b4a42b82a843dfdc8057ef4d80d01c54ec14dbd32fa31f31cc0835109cec7ea3e66
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d0faf8461afb933a99c4fe2fbc33170d
SHA1b7763bb33be37d73026f6914dfc4d1a432fb8906
SHA256b2b892027006d121ab5c179cc7b2b8004efc05366d08c835a5bad3bd2e3c10e4
SHA512e6bf85fe575c5679555f98497a523849c6bee33e94395deef91eb3e415cc9b4a42b82a843dfdc8057ef4d80d01c54ec14dbd32fa31f31cc0835109cec7ea3e66
-
memory/2836-132-0x000001E617F60000-0x000001E617F70000-memory.dmpFilesize
64KB
-
memory/2836-133-0x000001E618520000-0x000001E618530000-memory.dmpFilesize
64KB
-
memory/2836-134-0x000001E61ABA0000-0x000001E61ABA4000-memory.dmpFilesize
16KB