Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:29
Static task
static1
Behavioral task
behavioral1
Sample
070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe
Resource
win10v2004-en-20220113
General
-
Target
070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe
-
Size
58KB
-
MD5
a232833b1e1dfeb2eeee5662d547587a
-
SHA1
7165cac9418f75245859f37de3352c47905102bd
-
SHA256
070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9
-
SHA512
9f7317fbe0b41dde42aa642ad4575f21e18888816c9a7167c71e943bb0558c5fb9eac3e90efdc63cff24a3256217ae1d8666dc9958ffb85ad245740efd1851a1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1948 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4072 svchost.exe Token: SeCreatePagefilePrivilege 4072 svchost.exe Token: SeShutdownPrivilege 4072 svchost.exe Token: SeCreatePagefilePrivilege 4072 svchost.exe Token: SeShutdownPrivilege 4072 svchost.exe Token: SeCreatePagefilePrivilege 4072 svchost.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.execmd.exedescription pid process target process PID 2712 wrote to memory of 1948 2712 070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe MediaCenter.exe PID 2712 wrote to memory of 1948 2712 070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe MediaCenter.exe PID 2712 wrote to memory of 1948 2712 070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe MediaCenter.exe PID 2712 wrote to memory of 4616 2712 070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe cmd.exe PID 2712 wrote to memory of 4616 2712 070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe cmd.exe PID 2712 wrote to memory of 4616 2712 070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe cmd.exe PID 4616 wrote to memory of 1500 4616 cmd.exe PING.EXE PID 4616 wrote to memory of 1500 4616 cmd.exe PING.EXE PID 4616 wrote to memory of 1500 4616 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe"C:\Users\Admin\AppData\Local\Temp\070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b717379ffbbc5365e9b733b861db1cb4
SHA16c5940845882772495c50c5352262230b7eeffdf
SHA25604b305e6890a9787185a2495adc83a4b0566afd185e48118d20d5549c68229e0
SHA512210e167f9d49b8ab67b596e5a50d4935aeb203946b142251cde2a72fe1b740a21e12a692075da92cf39be6cc7e9971e2cd2d799399ebfe2b00c39902028737a8
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b717379ffbbc5365e9b733b861db1cb4
SHA16c5940845882772495c50c5352262230b7eeffdf
SHA25604b305e6890a9787185a2495adc83a4b0566afd185e48118d20d5549c68229e0
SHA512210e167f9d49b8ab67b596e5a50d4935aeb203946b142251cde2a72fe1b740a21e12a692075da92cf39be6cc7e9971e2cd2d799399ebfe2b00c39902028737a8
-
memory/4072-132-0x0000020CE2330000-0x0000020CE2340000-memory.dmpFilesize
64KB
-
memory/4072-133-0x0000020CE2390000-0x0000020CE23A0000-memory.dmpFilesize
64KB
-
memory/4072-134-0x0000020CE50B0000-0x0000020CE50B4000-memory.dmpFilesize
16KB