Analysis
-
max time kernel
130s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:45
Static task
static1
Behavioral task
behavioral1
Sample
063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe
Resource
win10v2004-en-20220113
General
-
Target
063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe
-
Size
58KB
-
MD5
ac19a81a8b1aa7d0be6028c4914df6e1
-
SHA1
89e5101f3f3339d15fe3add08353533a7feb3119
-
SHA256
063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb
-
SHA512
ba0bdac01896d5d2661982507511fca172d882bf0467cc6ffa832c8cb97f9c2443d7b3b15c69aaf0d654dc556b7d95f3c1546d51e6e0a5ae674c697e59102413
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4116 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exedescription pid process Token: SeShutdownPrivilege 4520 svchost.exe Token: SeCreatePagefilePrivilege 4520 svchost.exe Token: SeShutdownPrivilege 4520 svchost.exe Token: SeCreatePagefilePrivilege 4520 svchost.exe Token: SeShutdownPrivilege 4520 svchost.exe Token: SeCreatePagefilePrivilege 4520 svchost.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeIncBasePriorityPrivilege 3708 063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe Token: SeBackupPrivilege 3720 TiWorker.exe Token: SeRestorePrivilege 3720 TiWorker.exe Token: SeSecurityPrivilege 3720 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.execmd.exedescription pid process target process PID 3708 wrote to memory of 4116 3708 063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe MediaCenter.exe PID 3708 wrote to memory of 4116 3708 063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe MediaCenter.exe PID 3708 wrote to memory of 4116 3708 063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe MediaCenter.exe PID 3708 wrote to memory of 3168 3708 063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe cmd.exe PID 3708 wrote to memory of 3168 3708 063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe cmd.exe PID 3708 wrote to memory of 3168 3708 063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe cmd.exe PID 3168 wrote to memory of 1080 3168 cmd.exe PING.EXE PID 3168 wrote to memory of 1080 3168 cmd.exe PING.EXE PID 3168 wrote to memory of 1080 3168 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe"C:\Users\Admin\AppData\Local\Temp\063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\063668e741ad440b0e2b1b3ba5107e87ea12c09a38165de5bd22c7a7455a1ddb.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4e2ba5527d5c5b4db375043b2d246e76
SHA18d197055bdb7c7b806ed175550a67a426be3aef7
SHA25601a5d951d669aad9afd44564b0c61f40004fd84043df0977f4551e11e7a80d44
SHA512da154daaae00a65a307f63ad42fdd2522bff492763d46cf1dcf7bb49a66b6a9696e54a8ad16ca25d60b16304f4e63d891f9b60e6a5801fa8379ff7b6387319b4
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4e2ba5527d5c5b4db375043b2d246e76
SHA18d197055bdb7c7b806ed175550a67a426be3aef7
SHA25601a5d951d669aad9afd44564b0c61f40004fd84043df0977f4551e11e7a80d44
SHA512da154daaae00a65a307f63ad42fdd2522bff492763d46cf1dcf7bb49a66b6a9696e54a8ad16ca25d60b16304f4e63d891f9b60e6a5801fa8379ff7b6387319b4
-
memory/4520-132-0x00000245A4B90000-0x00000245A4BA0000-memory.dmpFilesize
64KB
-
memory/4520-133-0x00000245A5360000-0x00000245A5370000-memory.dmpFilesize
64KB
-
memory/4520-134-0x00000245A7F70000-0x00000245A7F74000-memory.dmpFilesize
16KB