Analysis
-
max time kernel
129s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:57
Static task
static1
Behavioral task
behavioral1
Sample
02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe
Resource
win10v2004-en-20220113
General
-
Target
02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe
-
Size
60KB
-
MD5
a9f8ae08ae5576cab4d7ee3f87b3d3de
-
SHA1
3cf6f38285e8d303f5dfb1914b17ea309ae00e62
-
SHA256
02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc
-
SHA512
282d9ca60ef61e92440885eca9c0549f0febf24def3b6fe8a06c8e3c40bdefddef54cefe0fb4976f9a9eb197b7e25f38bb04e01d81659e23327da46dde5e6dae
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4992 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1300 svchost.exe Token: SeCreatePagefilePrivilege 1300 svchost.exe Token: SeShutdownPrivilege 1300 svchost.exe Token: SeCreatePagefilePrivilege 1300 svchost.exe Token: SeShutdownPrivilege 1300 svchost.exe Token: SeCreatePagefilePrivilege 1300 svchost.exe Token: SeIncBasePriorityPrivilege 1280 02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.execmd.exedescription pid process target process PID 1280 wrote to memory of 4992 1280 02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe MediaCenter.exe PID 1280 wrote to memory of 4992 1280 02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe MediaCenter.exe PID 1280 wrote to memory of 4992 1280 02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe MediaCenter.exe PID 1280 wrote to memory of 1788 1280 02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe cmd.exe PID 1280 wrote to memory of 1788 1280 02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe cmd.exe PID 1280 wrote to memory of 1788 1280 02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe cmd.exe PID 1788 wrote to memory of 2948 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 2948 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 2948 1788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe"C:\Users\Admin\AppData\Local\Temp\02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02e97d5fb4526c7789a55e8487c7730aa6688b23bcfa142377c4e5fac337ddcc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
975bdeaa063897beada10bdd617d8f22
SHA1dd515be875308075531babcad880f8d8a483296c
SHA256d2a69a9e3de50b8b6cd6bf10645db1e24bdccb7a24f3fa20708d5fb168d5a8f5
SHA5125f11b6cfa3a5b93f3ece42652d7d2e7a353d45ae4b5320995cf83ed379050634da7cc82f18a46a83347cc9024685aaad6bbdf0c2706f2408ee0a16ce1c349d53
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
975bdeaa063897beada10bdd617d8f22
SHA1dd515be875308075531babcad880f8d8a483296c
SHA256d2a69a9e3de50b8b6cd6bf10645db1e24bdccb7a24f3fa20708d5fb168d5a8f5
SHA5125f11b6cfa3a5b93f3ece42652d7d2e7a353d45ae4b5320995cf83ed379050634da7cc82f18a46a83347cc9024685aaad6bbdf0c2706f2408ee0a16ce1c349d53
-
memory/1300-132-0x000002CF95920000-0x000002CF95930000-memory.dmpFilesize
64KB
-
memory/1300-133-0x000002CF95980000-0x000002CF95990000-memory.dmpFilesize
64KB
-
memory/1300-134-0x000002CF98050000-0x000002CF98054000-memory.dmpFilesize
16KB