Analysis
-
max time kernel
133s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:49
Static task
static1
Behavioral task
behavioral1
Sample
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe
Resource
win10v2004-en-20220113
General
-
Target
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe
-
Size
36KB
-
MD5
069be2a2de10eeb2e668062fd079cb77
-
SHA1
47ef673a9c6dc1bf453e06215052385c591d4db1
-
SHA256
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a
-
SHA512
2077b4467f450aaf7ca7e87659295c5e3ab2c15ce8b49e58800b3167bbf6f94412bbbc45a0caada71c7b187bc79c48349935cada7ba0445d50ee419e2f7d6b48
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3912 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 208 svchost.exe Token: SeCreatePagefilePrivilege 208 svchost.exe Token: SeShutdownPrivilege 208 svchost.exe Token: SeCreatePagefilePrivilege 208 svchost.exe Token: SeShutdownPrivilege 208 svchost.exe Token: SeCreatePagefilePrivilege 208 svchost.exe Token: SeIncBasePriorityPrivilege 4952 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe Token: SeBackupPrivilege 2756 TiWorker.exe Token: SeRestorePrivilege 2756 TiWorker.exe Token: SeSecurityPrivilege 2756 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.execmd.exedescription pid process target process PID 4952 wrote to memory of 3912 4952 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe MediaCenter.exe PID 4952 wrote to memory of 3912 4952 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe MediaCenter.exe PID 4952 wrote to memory of 3912 4952 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe MediaCenter.exe PID 4952 wrote to memory of 3592 4952 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe cmd.exe PID 4952 wrote to memory of 3592 4952 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe cmd.exe PID 4952 wrote to memory of 3592 4952 060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe cmd.exe PID 3592 wrote to memory of 3112 3592 cmd.exe PING.EXE PID 3592 wrote to memory of 3112 3592 cmd.exe PING.EXE PID 3592 wrote to memory of 3112 3592 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe"C:\Users\Admin\AppData\Local\Temp\060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\060a70c364f54b43c8227cd6fe6474f8d37e55c174057da82f81c2e6748bac2a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:208
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
16f70941b45f06fe631308be38bbaa84
SHA11c128d80fec339692df4f589c9ea07206d9dc709
SHA256ead2d0026dbae4df29ed8c2a5776fe5f39241f294ac2da9d3ff99f33742f7ad2
SHA51294ed47d281432e05b07fa18ceef9d3f313acc7b2dc043c33d0340d776f156a6d0cd9c21e871f517b2db28621ae44ece1204b232d48887d2ad139205ded2c9731
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
16f70941b45f06fe631308be38bbaa84
SHA11c128d80fec339692df4f589c9ea07206d9dc709
SHA256ead2d0026dbae4df29ed8c2a5776fe5f39241f294ac2da9d3ff99f33742f7ad2
SHA51294ed47d281432e05b07fa18ceef9d3f313acc7b2dc043c33d0340d776f156a6d0cd9c21e871f517b2db28621ae44ece1204b232d48887d2ad139205ded2c9731
-
memory/208-132-0x0000025C0BF80000-0x0000025C0BF90000-memory.dmpFilesize
64KB
-
memory/208-133-0x0000025C0C520000-0x0000025C0C530000-memory.dmpFilesize
64KB
-
memory/208-134-0x0000025C0EC00000-0x0000025C0EC04000-memory.dmpFilesize
16KB