Analysis
-
max time kernel
127s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 12:03
Static task
static1
Behavioral task
behavioral1
Sample
028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe
Resource
win10v2004-en-20220113
General
-
Target
028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe
-
Size
36KB
-
MD5
0261cf34413117498f88f7242b9f3363
-
SHA1
bc344a715feac624f0b1df8baa6f724248682e3c
-
SHA256
028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3
-
SHA512
cbdfed057ff9fe180e9ae433db8e4e83cb2b4b505b063b4a9f4113579a1d12edb19967abb2f53ac45a6e0a95e4909b7270aa617746c442178da156bf3ba1bc98
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4676 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2064 svchost.exe Token: SeCreatePagefilePrivilege 2064 svchost.exe Token: SeShutdownPrivilege 2064 svchost.exe Token: SeCreatePagefilePrivilege 2064 svchost.exe Token: SeShutdownPrivilege 2064 svchost.exe Token: SeCreatePagefilePrivilege 2064 svchost.exe Token: SeIncBasePriorityPrivilege 4652 028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe Token: SeBackupPrivilege 1136 TiWorker.exe Token: SeRestorePrivilege 1136 TiWorker.exe Token: SeSecurityPrivilege 1136 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.execmd.exedescription pid process target process PID 4652 wrote to memory of 4676 4652 028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe MediaCenter.exe PID 4652 wrote to memory of 4676 4652 028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe MediaCenter.exe PID 4652 wrote to memory of 4676 4652 028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe MediaCenter.exe PID 4652 wrote to memory of 1408 4652 028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe cmd.exe PID 4652 wrote to memory of 1408 4652 028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe cmd.exe PID 4652 wrote to memory of 1408 4652 028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe cmd.exe PID 1408 wrote to memory of 4076 1408 cmd.exe PING.EXE PID 1408 wrote to memory of 4076 1408 cmd.exe PING.EXE PID 1408 wrote to memory of 4076 1408 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe"C:\Users\Admin\AppData\Local\Temp\028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\028e670e5a7501e71ac59ef6cba9685bd5ed6f60c91d75d72f4b985dbfead7c3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1136
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0620dd6269fa85edd1ee1158d80d0de9
SHA1ab9ca5210b46d6a5605a00fdc02a7afd0dc1d663
SHA25646e287655224f86e5a1fcb50383ed3bfac01f7f331c1ecf87f837d83e62f3ef6
SHA5125df0d3f2802531b3b411c1ad8cb8ddd931df599227ab4af36097090d86dd013ebe7f4d80a21c35b9b15284b948fc9cf71c515e24a899c502062116cee965e19c
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0620dd6269fa85edd1ee1158d80d0de9
SHA1ab9ca5210b46d6a5605a00fdc02a7afd0dc1d663
SHA25646e287655224f86e5a1fcb50383ed3bfac01f7f331c1ecf87f837d83e62f3ef6
SHA5125df0d3f2802531b3b411c1ad8cb8ddd931df599227ab4af36097090d86dd013ebe7f4d80a21c35b9b15284b948fc9cf71c515e24a899c502062116cee965e19c
-
memory/2064-132-0x0000020ED1B30000-0x0000020ED1B40000-memory.dmpFilesize
64KB
-
memory/2064-133-0x0000020ED1B90000-0x0000020ED1BA0000-memory.dmpFilesize
64KB
-
memory/2064-134-0x0000020ED48A0000-0x0000020ED48A4000-memory.dmpFilesize
16KB