Analysis
-
max time kernel
132s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:40
Static task
static1
Behavioral task
behavioral1
Sample
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe
Resource
win10v2004-en-20220113
General
-
Target
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe
-
Size
36KB
-
MD5
48a1a958c1b63834a424884c733859ca
-
SHA1
c473b0c37a80da99a6d5636d819fa41a7f6ec4da
-
SHA256
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f
-
SHA512
477646efd64e6d53173f620e429eb5291289ff1d8431cd474dd9b9e876d8a29deba1b2fe6e2dc7941bb69657dfc1726edb1790cdf22404aad9488a9e68cfd44a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3740 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exedescription pid process Token: SeShutdownPrivilege 2432 svchost.exe Token: SeCreatePagefilePrivilege 2432 svchost.exe Token: SeShutdownPrivilege 2432 svchost.exe Token: SeCreatePagefilePrivilege 2432 svchost.exe Token: SeShutdownPrivilege 2432 svchost.exe Token: SeCreatePagefilePrivilege 2432 svchost.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeIncBasePriorityPrivilege 1672 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe Token: SeBackupPrivilege 3780 TiWorker.exe Token: SeRestorePrivilege 3780 TiWorker.exe Token: SeSecurityPrivilege 3780 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.execmd.exedescription pid process target process PID 1672 wrote to memory of 3740 1672 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe MediaCenter.exe PID 1672 wrote to memory of 3740 1672 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe MediaCenter.exe PID 1672 wrote to memory of 3740 1672 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe MediaCenter.exe PID 1672 wrote to memory of 2448 1672 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe cmd.exe PID 1672 wrote to memory of 2448 1672 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe cmd.exe PID 1672 wrote to memory of 2448 1672 06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe cmd.exe PID 2448 wrote to memory of 2148 2448 cmd.exe PING.EXE PID 2448 wrote to memory of 2148 2448 cmd.exe PING.EXE PID 2448 wrote to memory of 2148 2448 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe"C:\Users\Admin\AppData\Local\Temp\06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3fa0b5a2b719567fd87ca244ec0d05d9
SHA1ffe0e873d02237af37b6ff851fdcd89ed38677cb
SHA25606bcb4c2a2e4409dee36bdb0fa69180a43841bf304128d91845fcad27971ce6e
SHA51296a9eb8490e262acc76e1e1def02a39b09d011fc88f810537b7d49a6afe7519f92d7e50ff9e30e6cf57d1d1d3915457f16f9b02fc315e55fa2542123e4332ade
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3fa0b5a2b719567fd87ca244ec0d05d9
SHA1ffe0e873d02237af37b6ff851fdcd89ed38677cb
SHA25606bcb4c2a2e4409dee36bdb0fa69180a43841bf304128d91845fcad27971ce6e
SHA51296a9eb8490e262acc76e1e1def02a39b09d011fc88f810537b7d49a6afe7519f92d7e50ff9e30e6cf57d1d1d3915457f16f9b02fc315e55fa2542123e4332ade
-
memory/2432-133-0x000001AEBDB80000-0x000001AEBDB90000-memory.dmpFilesize
64KB
-
memory/2432-132-0x000001AEBDB20000-0x000001AEBDB30000-memory.dmpFilesize
64KB
-
memory/2432-134-0x000001AEC0230000-0x000001AEC0234000-memory.dmpFilesize
16KB