Analysis
-
max time kernel
161s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:39
Static task
static1
Behavioral task
behavioral1
Sample
0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe
Resource
win10v2004-en-20220113
General
-
Target
0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe
-
Size
36KB
-
MD5
19dbe8da37bbb8afac6a2fd326ff3297
-
SHA1
e6244422824902584a12a39cca56038ffd865b8e
-
SHA256
0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596
-
SHA512
17f2f63daea2755ccd8206dfcf8cfea16fc8d0556593af1d356193596795b6bd56bb4cc010e1000d1a078ca97a7630cfd802287e581d7eafc887fab331a163d1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1928 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2724 svchost.exe Token: SeCreatePagefilePrivilege 2724 svchost.exe Token: SeShutdownPrivilege 2724 svchost.exe Token: SeCreatePagefilePrivilege 2724 svchost.exe Token: SeShutdownPrivilege 2724 svchost.exe Token: SeCreatePagefilePrivilege 2724 svchost.exe Token: SeIncBasePriorityPrivilege 1640 0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe Token: SeBackupPrivilege 2884 TiWorker.exe Token: SeRestorePrivilege 2884 TiWorker.exe Token: SeSecurityPrivilege 2884 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.execmd.exedescription pid process target process PID 1640 wrote to memory of 1928 1640 0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe MediaCenter.exe PID 1640 wrote to memory of 1928 1640 0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe MediaCenter.exe PID 1640 wrote to memory of 1928 1640 0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe MediaCenter.exe PID 1640 wrote to memory of 4348 1640 0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe cmd.exe PID 1640 wrote to memory of 4348 1640 0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe cmd.exe PID 1640 wrote to memory of 4348 1640 0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe cmd.exe PID 4348 wrote to memory of 1148 4348 cmd.exe PING.EXE PID 4348 wrote to memory of 1148 4348 cmd.exe PING.EXE PID 4348 wrote to memory of 1148 4348 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe"C:\Users\Admin\AppData\Local\Temp\0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0687a9b1621d25ccbc2be2069f14227bbd66a4cb79f3b06cdd41d55b6abb3596.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
bf06b72e27f18f59743dae2d0981edc1
SHA13bff2ec44a5c93eff46761d3a43fb70d6c64cc8f
SHA2566e6d4c34fb0305b0b660be8975588652071f0b815da16ab0a9ffcc1eebaa76fc
SHA512d42a5249321207a2e100f774fef3b8ee8da1f0c0e91ee4c2fffecf50a0d6e4c56f8d2eadd341334d505ac0d39691a11f7eb6dd0e48ed9d60c3d6011cb68db1aa
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
bf06b72e27f18f59743dae2d0981edc1
SHA13bff2ec44a5c93eff46761d3a43fb70d6c64cc8f
SHA2566e6d4c34fb0305b0b660be8975588652071f0b815da16ab0a9ffcc1eebaa76fc
SHA512d42a5249321207a2e100f774fef3b8ee8da1f0c0e91ee4c2fffecf50a0d6e4c56f8d2eadd341334d505ac0d39691a11f7eb6dd0e48ed9d60c3d6011cb68db1aa
-
memory/2724-133-0x000002D8B77A0000-0x000002D8B77B0000-memory.dmpFilesize
64KB
-
memory/2724-132-0x000002D8B7740000-0x000002D8B7750000-memory.dmpFilesize
64KB
-
memory/2724-134-0x000002D8BA4C0000-0x000002D8BA4C4000-memory.dmpFilesize
16KB