Analysis
-
max time kernel
158s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:44
Static task
static1
Behavioral task
behavioral1
Sample
0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe
Resource
win10v2004-en-20220113
General
-
Target
0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe
-
Size
60KB
-
MD5
97264b205f9e83b00453ef196e3f9f7a
-
SHA1
7ce3f01a3e64856c6a73a96946934aea0ae3719f
-
SHA256
0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f
-
SHA512
24d3520da072c21bd8f9bacf20a674ed17d0de20bfe4653f67a9cd8ca4059738a67b1ec4a69c0d46bb4e20391abf42a34e47e0e59d61c3915cc2d7272268e32b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2768 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2244 0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe Token: SeShutdownPrivilege 3844 svchost.exe Token: SeCreatePagefilePrivilege 3844 svchost.exe Token: SeShutdownPrivilege 3844 svchost.exe Token: SeCreatePagefilePrivilege 3844 svchost.exe Token: SeShutdownPrivilege 3844 svchost.exe Token: SeCreatePagefilePrivilege 3844 svchost.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe Token: SeBackupPrivilege 492 TiWorker.exe Token: SeRestorePrivilege 492 TiWorker.exe Token: SeSecurityPrivilege 492 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.execmd.exedescription pid process target process PID 2244 wrote to memory of 2768 2244 0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe MediaCenter.exe PID 2244 wrote to memory of 2768 2244 0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe MediaCenter.exe PID 2244 wrote to memory of 2768 2244 0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe MediaCenter.exe PID 2244 wrote to memory of 208 2244 0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe cmd.exe PID 2244 wrote to memory of 208 2244 0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe cmd.exe PID 2244 wrote to memory of 208 2244 0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe cmd.exe PID 208 wrote to memory of 448 208 cmd.exe PING.EXE PID 208 wrote to memory of 448 208 cmd.exe PING.EXE PID 208 wrote to memory of 448 208 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe"C:\Users\Admin\AppData\Local\Temp\0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0638cd4467b5eca93fda715b0654e74c69fe6d14d7396e7577cc7a1019e2140f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d9ce7f398b16133bc143ce51dd1c0a97
SHA1e5384ece46fdb5aa9c1d643afc726c80fece129a
SHA25633e8c0d47a683d1484cbe9563332892e825439f385c25e1e7a86dd994b5511e1
SHA51295141996fb412cb23a4ebd274ba16151c51a9d7f033f30d1202b630ddf7914d730eb25d1773f5e924f51ceb324a7be2c20678095a564c2b538c000ea6073c0e7
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d9ce7f398b16133bc143ce51dd1c0a97
SHA1e5384ece46fdb5aa9c1d643afc726c80fece129a
SHA25633e8c0d47a683d1484cbe9563332892e825439f385c25e1e7a86dd994b5511e1
SHA51295141996fb412cb23a4ebd274ba16151c51a9d7f033f30d1202b630ddf7914d730eb25d1773f5e924f51ceb324a7be2c20678095a564c2b538c000ea6073c0e7
-
memory/3844-132-0x00000209D7760000-0x00000209D7770000-memory.dmpFilesize
64KB
-
memory/3844-133-0x00000209D7D20000-0x00000209D7D30000-memory.dmpFilesize
64KB
-
memory/3844-134-0x00000209DA3D0000-0x00000209DA3D4000-memory.dmpFilesize
16KB