Analysis
-
max time kernel
158s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:15
Static task
static1
Behavioral task
behavioral1
Sample
04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe
Resource
win10v2004-en-20220113
General
-
Target
04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe
-
Size
35KB
-
MD5
587a3cde0e99998165c827e77de62e90
-
SHA1
efa7f3545701af34b0d22958a578835c4b9e38d6
-
SHA256
04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d
-
SHA512
bf335434431e90c28c183fb1d64d9266ae7349df67eac516f60aa11e27b261568e6868ad018f0ed67910628f796db34f85765c350cc5298ea330d95a6efe7729
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4768 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3248 svchost.exe Token: SeCreatePagefilePrivilege 3248 svchost.exe Token: SeShutdownPrivilege 3248 svchost.exe Token: SeCreatePagefilePrivilege 3248 svchost.exe Token: SeShutdownPrivilege 3248 svchost.exe Token: SeCreatePagefilePrivilege 3248 svchost.exe Token: SeIncBasePriorityPrivilege 4116 04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.execmd.exedescription pid process target process PID 4116 wrote to memory of 4768 4116 04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe MediaCenter.exe PID 4116 wrote to memory of 4768 4116 04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe MediaCenter.exe PID 4116 wrote to memory of 4768 4116 04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe MediaCenter.exe PID 4116 wrote to memory of 1072 4116 04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe cmd.exe PID 4116 wrote to memory of 1072 4116 04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe cmd.exe PID 4116 wrote to memory of 1072 4116 04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe cmd.exe PID 1072 wrote to memory of 1752 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1752 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1752 1072 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe"C:\Users\Admin\AppData\Local\Temp\04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04e6ddb29d42361d39ac7efe51b890afa84c5b9851ade0663b3cea66a0110e2d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:400
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3111043d9b534ca2a42d8f1af03ecc29
SHA1dffd18a2b94eef227e3b58098945a8e8dc02c9e2
SHA25661b84bf765b2a60cc0ff220c31527a54bfa9fec4ddb5d53ae240fc869fa5446e
SHA5127100c4b7664b297048b45fa34dc62017d3cb1753f2031595b0bb8dcd96c4ee653e627f4135234b2ba46bc1eda2e2987f4db32c7c8699b2428b57fdd0c9850b00
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3111043d9b534ca2a42d8f1af03ecc29
SHA1dffd18a2b94eef227e3b58098945a8e8dc02c9e2
SHA25661b84bf765b2a60cc0ff220c31527a54bfa9fec4ddb5d53ae240fc869fa5446e
SHA5127100c4b7664b297048b45fa34dc62017d3cb1753f2031595b0bb8dcd96c4ee653e627f4135234b2ba46bc1eda2e2987f4db32c7c8699b2428b57fdd0c9850b00
-
memory/3248-133-0x0000011A99B80000-0x0000011A99B90000-memory.dmpFilesize
64KB
-
memory/3248-132-0x0000011A99B20000-0x0000011A99B30000-memory.dmpFilesize
64KB
-
memory/3248-134-0x0000011A9C260000-0x0000011A9C264000-memory.dmpFilesize
16KB