Analysis
-
max time kernel
147s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:36
Static task
static1
Behavioral task
behavioral1
Sample
03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe
Resource
win10v2004-en-20220113
General
-
Target
03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe
-
Size
58KB
-
MD5
6626bcb31660aaf9020d9916ee49fca9
-
SHA1
3d641caed4c8704d7ee3152265c6cf0aaa8f9733
-
SHA256
03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70
-
SHA512
2976508eb6aec1e49dff19c59618b5bd6a363377ffe91e91f91c5193e283649935650b21e8d126659559a7bd4963f5ff0262a23d400d6b1c7b7a933160189a31
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1464 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4172 svchost.exe Token: SeCreatePagefilePrivilege 4172 svchost.exe Token: SeShutdownPrivilege 4172 svchost.exe Token: SeCreatePagefilePrivilege 4172 svchost.exe Token: SeShutdownPrivilege 4172 svchost.exe Token: SeCreatePagefilePrivilege 4172 svchost.exe Token: SeIncBasePriorityPrivilege 3628 03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.execmd.exedescription pid process target process PID 3628 wrote to memory of 1464 3628 03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe MediaCenter.exe PID 3628 wrote to memory of 1464 3628 03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe MediaCenter.exe PID 3628 wrote to memory of 1464 3628 03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe MediaCenter.exe PID 3628 wrote to memory of 3348 3628 03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe cmd.exe PID 3628 wrote to memory of 3348 3628 03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe cmd.exe PID 3628 wrote to memory of 3348 3628 03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe cmd.exe PID 3348 wrote to memory of 2524 3348 cmd.exe PING.EXE PID 3348 wrote to memory of 2524 3348 cmd.exe PING.EXE PID 3348 wrote to memory of 2524 3348 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe"C:\Users\Admin\AppData\Local\Temp\03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03f287ce2423b64e3dacec992951506f7e295b4d43e2e9a5a3f45a2bbe792e70.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8812190df8acf968fa213eb0c70b01ee
SHA13a1f2799669cd8fb8be2d6a1be149111061429a7
SHA2562ef88e579ef6436b985df1ad95ad1fca95713ab68c1362031cf3dd2d1a783fa2
SHA5122e1291441dcff10f4743f9d9ecdf570fefd83228f085b824bdf3624f2b53279c07bbfd1925f24b23652bce5602feecaf6ce724107c8b12cfb012db5545d354d1
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8812190df8acf968fa213eb0c70b01ee
SHA13a1f2799669cd8fb8be2d6a1be149111061429a7
SHA2562ef88e579ef6436b985df1ad95ad1fca95713ab68c1362031cf3dd2d1a783fa2
SHA5122e1291441dcff10f4743f9d9ecdf570fefd83228f085b824bdf3624f2b53279c07bbfd1925f24b23652bce5602feecaf6ce724107c8b12cfb012db5545d354d1
-
memory/4172-132-0x0000017FFC720000-0x0000017FFC730000-memory.dmpFilesize
64KB
-
memory/4172-133-0x0000017FFC780000-0x0000017FFC790000-memory.dmpFilesize
64KB
-
memory/4172-134-0x0000017FFEE50000-0x0000017FFEE54000-memory.dmpFilesize
16KB