Analysis
-
max time kernel
136s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 12:03
Static task
static1
Behavioral task
behavioral1
Sample
0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe
Resource
win10v2004-en-20220113
General
-
Target
0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe
-
Size
36KB
-
MD5
3a8ed48212ec6bf524e2d0150e78c603
-
SHA1
573f3ba0ab0593ba073b467c3feefd240b15726e
-
SHA256
0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab
-
SHA512
cca0559d9b1221eeaf34daabe97d906c6732febb2b07bd432a3d2c59fa781711126e6f6a0f2badea4b34ab0a164fd09473814bcbc345d1ebe9564aff59e8f346
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1340 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exedescription pid process Token: SeShutdownPrivilege 2044 svchost.exe Token: SeCreatePagefilePrivilege 2044 svchost.exe Token: SeShutdownPrivilege 2044 svchost.exe Token: SeCreatePagefilePrivilege 2044 svchost.exe Token: SeShutdownPrivilege 2044 svchost.exe Token: SeCreatePagefilePrivilege 2044 svchost.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeIncBasePriorityPrivilege 2256 0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.execmd.exedescription pid process target process PID 2256 wrote to memory of 1340 2256 0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe MediaCenter.exe PID 2256 wrote to memory of 1340 2256 0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe MediaCenter.exe PID 2256 wrote to memory of 1340 2256 0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe MediaCenter.exe PID 2256 wrote to memory of 2372 2256 0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe cmd.exe PID 2256 wrote to memory of 2372 2256 0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe cmd.exe PID 2256 wrote to memory of 2372 2256 0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe cmd.exe PID 2372 wrote to memory of 1480 2372 cmd.exe PING.EXE PID 2372 wrote to memory of 1480 2372 cmd.exe PING.EXE PID 2372 wrote to memory of 1480 2372 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe"C:\Users\Admin\AppData\Local\Temp\0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0296a1ea199b5ff80664e40a81b48ac6afad9f32ffa22a5f7088c41c1439dcab.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2f5dc8dc215c5286bfc1da1c346ae70a
SHA1c64d8e25b613ff727700e8f0945590a229301456
SHA25661f33044cd9a86933804d178d2794b828f46d01f8ab0f5cffee08f4d3c1de5c6
SHA512eb76aa4c91726e31b20276203ec9aae221777c55ee4a9767f7a70dd91d37a3830cf63b249e750c660711da31afa3b5902e3b12253c35472b262a16bb9b1d10bd
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2f5dc8dc215c5286bfc1da1c346ae70a
SHA1c64d8e25b613ff727700e8f0945590a229301456
SHA25661f33044cd9a86933804d178d2794b828f46d01f8ab0f5cffee08f4d3c1de5c6
SHA512eb76aa4c91726e31b20276203ec9aae221777c55ee4a9767f7a70dd91d37a3830cf63b249e750c660711da31afa3b5902e3b12253c35472b262a16bb9b1d10bd
-
memory/2044-133-0x000001896CB50000-0x000001896CB60000-memory.dmpFilesize
64KB
-
memory/2044-134-0x000001896D220000-0x000001896D230000-memory.dmpFilesize
64KB
-
memory/2044-135-0x000001896F8D0000-0x000001896F8D4000-memory.dmpFilesize
16KB