Analysis
-
max time kernel
154s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:51
Static task
static1
Behavioral task
behavioral1
Sample
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe
Resource
win10v2004-en-20220113
General
-
Target
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe
-
Size
36KB
-
MD5
5da558d17a8f6698bfc4ed264d5806e1
-
SHA1
618577ed1a0f663a8aa7d88178f983919d85c7f5
-
SHA256
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf
-
SHA512
502f3b65452c3a96e3a9aaa8727c9f10c227d21881111717fee17a588c50a1c526a0182a7b7760f8e3efbc57363ec04e12e6b3b2539e4da0106637a5c00be977
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1728 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2172 svchost.exe Token: SeCreatePagefilePrivilege 2172 svchost.exe Token: SeShutdownPrivilege 2172 svchost.exe Token: SeCreatePagefilePrivilege 2172 svchost.exe Token: SeShutdownPrivilege 2172 svchost.exe Token: SeCreatePagefilePrivilege 2172 svchost.exe Token: SeIncBasePriorityPrivilege 4656 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe Token: SeBackupPrivilege 3192 TiWorker.exe Token: SeRestorePrivilege 3192 TiWorker.exe Token: SeSecurityPrivilege 3192 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.execmd.exedescription pid process target process PID 4656 wrote to memory of 1728 4656 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe MediaCenter.exe PID 4656 wrote to memory of 1728 4656 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe MediaCenter.exe PID 4656 wrote to memory of 1728 4656 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe MediaCenter.exe PID 4656 wrote to memory of 1872 4656 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe cmd.exe PID 4656 wrote to memory of 1872 4656 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe cmd.exe PID 4656 wrote to memory of 1872 4656 05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe cmd.exe PID 1872 wrote to memory of 5072 1872 cmd.exe PING.EXE PID 1872 wrote to memory of 5072 1872 cmd.exe PING.EXE PID 1872 wrote to memory of 5072 1872 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe"C:\Users\Admin\AppData\Local\Temp\05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05fb07f5e1e3f20c1a6b656efa2e3108d32c55ed1398e778bc628d260a0754bf.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
31f4d62f8dfa76b6f08af9906704ca79
SHA1f9075003d315b50bfe471d5ebbb2ca52b5379aa7
SHA256bad0ca309ad0ad236ff588d5db05738585f7a8718dbf75a998819a6fa258413c
SHA51269d8da4212ca77125d23b0d2e3c85119170c4908c7877b1bd80a2c17f7e9440c8d8c0e50d6d1a8334f498ff7d83a863a9943de271a62b61800cbb049646caed1
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
31f4d62f8dfa76b6f08af9906704ca79
SHA1f9075003d315b50bfe471d5ebbb2ca52b5379aa7
SHA256bad0ca309ad0ad236ff588d5db05738585f7a8718dbf75a998819a6fa258413c
SHA51269d8da4212ca77125d23b0d2e3c85119170c4908c7877b1bd80a2c17f7e9440c8d8c0e50d6d1a8334f498ff7d83a863a9943de271a62b61800cbb049646caed1
-
memory/2172-132-0x0000016F27920000-0x0000016F27930000-memory.dmpFilesize
64KB
-
memory/2172-133-0x0000016F27980000-0x0000016F27990000-memory.dmpFilesize
64KB
-
memory/2172-134-0x0000016F2A030000-0x0000016F2A034000-memory.dmpFilesize
16KB