Analysis
-
max time kernel
155s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:32
Static task
static1
Behavioral task
behavioral1
Sample
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe
Resource
win10v2004-en-20220113
General
-
Target
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe
-
Size
60KB
-
MD5
328dbbe5e12f97f4d9ad1699a8f1acab
-
SHA1
a73b30bd40c731bc69ae79159e26ca0b68115661
-
SHA256
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f
-
SHA512
5430210b7d6e01f8d980be4ee749b45470e6e98c4124aab5aafbd9632cdeab3d5d40a7546cf58082a5d5a0c1fa5db42bb8a1d8bfbfa49349c51ea445cf7ecb8a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3908 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 752 svchost.exe Token: SeCreatePagefilePrivilege 752 svchost.exe Token: SeShutdownPrivilege 752 svchost.exe Token: SeCreatePagefilePrivilege 752 svchost.exe Token: SeShutdownPrivilege 752 svchost.exe Token: SeCreatePagefilePrivilege 752 svchost.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.execmd.exedescription pid process target process PID 4272 wrote to memory of 3908 4272 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe MediaCenter.exe PID 4272 wrote to memory of 3908 4272 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe MediaCenter.exe PID 4272 wrote to memory of 3908 4272 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe MediaCenter.exe PID 4272 wrote to memory of 2220 4272 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe cmd.exe PID 4272 wrote to memory of 2220 4272 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe cmd.exe PID 4272 wrote to memory of 2220 4272 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe cmd.exe PID 2220 wrote to memory of 2072 2220 cmd.exe PING.EXE PID 2220 wrote to memory of 2072 2220 cmd.exe PING.EXE PID 2220 wrote to memory of 2072 2220 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe"C:\Users\Admin\AppData\Local\Temp\06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:752
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
03b0907ab337a523d8cea03fd9a4a3f9
SHA1c63017fe636db9a0e268353df74379e065df787f
SHA25687a2ea93a149db1ef90a5b4c5e672e526fb1f8e8ec8e07c5201831b0f7771e39
SHA512a683d1abce3fc945f4e462f519652cbaa1f33b88c7b517c55fb537b3d9131d6933130eaf3ad40594bfcf67b586d1eeefa8ce7161f632cf925ef4e7b6e251eed3
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
03b0907ab337a523d8cea03fd9a4a3f9
SHA1c63017fe636db9a0e268353df74379e065df787f
SHA25687a2ea93a149db1ef90a5b4c5e672e526fb1f8e8ec8e07c5201831b0f7771e39
SHA512a683d1abce3fc945f4e462f519652cbaa1f33b88c7b517c55fb537b3d9131d6933130eaf3ad40594bfcf67b586d1eeefa8ce7161f632cf925ef4e7b6e251eed3
-
memory/752-132-0x000001B7F35A0000-0x000001B7F35B0000-memory.dmpFilesize
64KB
-
memory/752-133-0x000001B7F3C20000-0x000001B7F3C30000-memory.dmpFilesize
64KB
-
memory/752-134-0x000001B7F6320000-0x000001B7F6324000-memory.dmpFilesize
16KB