Analysis
-
max time kernel
154s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 12:00
Static task
static1
Behavioral task
behavioral1
Sample
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe
Resource
win10v2004-en-20220113
General
-
Target
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe
-
Size
58KB
-
MD5
8394a3790b749ab6b2a4e4490e08099d
-
SHA1
0348178d46bae1717fae050f4c6ca006a955be67
-
SHA256
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9
-
SHA512
708b57534333137c348648e8742884f1e2191ea5b1f70278e88bdaf738d2df42ac796038f78bc863d29b6a0794c02f6a5cfe0c4a4eb4f99af4ae10bed74f4807
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 376 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3740 svchost.exe Token: SeCreatePagefilePrivilege 3740 svchost.exe Token: SeShutdownPrivilege 3740 svchost.exe Token: SeCreatePagefilePrivilege 3740 svchost.exe Token: SeShutdownPrivilege 3740 svchost.exe Token: SeCreatePagefilePrivilege 3740 svchost.exe Token: SeIncBasePriorityPrivilege 4060 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe Token: SeBackupPrivilege 4656 TiWorker.exe Token: SeRestorePrivilege 4656 TiWorker.exe Token: SeSecurityPrivilege 4656 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.execmd.exedescription pid process target process PID 4060 wrote to memory of 376 4060 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe MediaCenter.exe PID 4060 wrote to memory of 376 4060 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe MediaCenter.exe PID 4060 wrote to memory of 376 4060 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe MediaCenter.exe PID 4060 wrote to memory of 4612 4060 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe cmd.exe PID 4060 wrote to memory of 4612 4060 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe cmd.exe PID 4060 wrote to memory of 4612 4060 02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe cmd.exe PID 4612 wrote to memory of 4008 4612 cmd.exe PING.EXE PID 4612 wrote to memory of 4008 4612 cmd.exe PING.EXE PID 4612 wrote to memory of 4008 4612 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe"C:\Users\Admin\AppData\Local\Temp\02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02bf51dbc2dc04392cda77e869f6a155b3648047c232d6660d9de4339e6c35a9.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8d40509bcd4efa6b5ba7f28dca67a6bb
SHA157a1161744a695b15fd86a8d52f6c128b2388eec
SHA256133e4dbeb5e5d7e3c320edcd202654fb31d464918f1120e12079100aa7ef13cd
SHA512ca7bfb153462e3ddeba21576e6a9158fdccca28ade587dd99877f0630a6b71b50ea3ab548b3215a6ace073696b0f7ec3c9205c5efbf5c1168f1a54f20b284fe7
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8d40509bcd4efa6b5ba7f28dca67a6bb
SHA157a1161744a695b15fd86a8d52f6c128b2388eec
SHA256133e4dbeb5e5d7e3c320edcd202654fb31d464918f1120e12079100aa7ef13cd
SHA512ca7bfb153462e3ddeba21576e6a9158fdccca28ade587dd99877f0630a6b71b50ea3ab548b3215a6ace073696b0f7ec3c9205c5efbf5c1168f1a54f20b284fe7
-
memory/3740-132-0x0000016D56D70000-0x0000016D56D80000-memory.dmpFilesize
64KB
-
memory/3740-133-0x0000016D57320000-0x0000016D57330000-memory.dmpFilesize
64KB
-
memory/3740-134-0x0000016D599F0000-0x0000016D599F4000-memory.dmpFilesize
16KB