Analysis
-
max time kernel
158s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:25
Static task
static1
Behavioral task
behavioral1
Sample
0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe
Resource
win10v2004-en-20220113
General
-
Target
0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe
-
Size
58KB
-
MD5
8c1c888309730707fd20966a625599c0
-
SHA1
2cdc419dfbceb33a7d01171e584aed04ba79aa44
-
SHA256
0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02
-
SHA512
49558756ce9d0759fd82ad443d81e5fb7fa63315ed3b1bcfdfae82531bc6c7bbda9819adb4d0d21d6f6c78d6f86f604b05bc295317b8a05e63f82fd6ccd6ef71
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3636 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2996 svchost.exe Token: SeCreatePagefilePrivilege 2996 svchost.exe Token: SeShutdownPrivilege 2996 svchost.exe Token: SeCreatePagefilePrivilege 2996 svchost.exe Token: SeShutdownPrivilege 2996 svchost.exe Token: SeCreatePagefilePrivilege 2996 svchost.exe Token: SeIncBasePriorityPrivilege 1944 0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe Token: SeBackupPrivilege 3320 TiWorker.exe Token: SeRestorePrivilege 3320 TiWorker.exe Token: SeSecurityPrivilege 3320 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.execmd.exedescription pid process target process PID 1944 wrote to memory of 3636 1944 0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe MediaCenter.exe PID 1944 wrote to memory of 3636 1944 0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe MediaCenter.exe PID 1944 wrote to memory of 3636 1944 0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe MediaCenter.exe PID 1944 wrote to memory of 3064 1944 0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe cmd.exe PID 1944 wrote to memory of 3064 1944 0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe cmd.exe PID 1944 wrote to memory of 3064 1944 0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe cmd.exe PID 3064 wrote to memory of 4056 3064 cmd.exe PING.EXE PID 3064 wrote to memory of 4056 3064 cmd.exe PING.EXE PID 3064 wrote to memory of 4056 3064 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe"C:\Users\Admin\AppData\Local\Temp\0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0736322089c98bb0763f30cdddd5ef5eae222c958ab8b463f3fed49fbc4e3e02.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3fa8ab61f6835e612d050643a463ef5e
SHA1387c361f90b4bdd66d4f91f7937c528bc9839e6b
SHA2566a62386ccdb4c910c89d05d802676c2dcfb25c3cdf3c4ebdd4a435387d6b82aa
SHA512b1e32954abea42a463fa5c6974cae7f6bd7bec4d72d40e8c38fa0d2cb4ae7b479e2f78b6a9f97c83beec1ae7b82b6de1c9871195eb658aafd43150491013a0e1
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3fa8ab61f6835e612d050643a463ef5e
SHA1387c361f90b4bdd66d4f91f7937c528bc9839e6b
SHA2566a62386ccdb4c910c89d05d802676c2dcfb25c3cdf3c4ebdd4a435387d6b82aa
SHA512b1e32954abea42a463fa5c6974cae7f6bd7bec4d72d40e8c38fa0d2cb4ae7b479e2f78b6a9f97c83beec1ae7b82b6de1c9871195eb658aafd43150491013a0e1
-
memory/2996-132-0x0000026B7D020000-0x0000026B7D030000-memory.dmpFilesize
64KB
-
memory/2996-133-0x0000026B7D080000-0x0000026B7D090000-memory.dmpFilesize
64KB
-
memory/2996-134-0x0000026B7F750000-0x0000026B7F754000-memory.dmpFilesize
16KB