Analysis
-
max time kernel
152s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:39
Static task
static1
Behavioral task
behavioral1
Sample
03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exe
Resource
win10v2004-en-20220113
General
-
Target
03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exe
-
Size
60KB
-
MD5
13901b6ff6ff3a9727300cf8f071cd28
-
SHA1
fc740c055b5dba6944cae9187a1ac4032357ab22
-
SHA256
03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec
-
SHA512
cc8472242f6f7d0ff3ff045027dcbd40f9045d9e9207e46fc606e14b8520204d1b1853db053174a06f7712b030d02be405714959e2ca0d8395a10b199c7f6caa
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2992 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2760 svchost.exe Token: SeCreatePagefilePrivilege 2760 svchost.exe Token: SeShutdownPrivilege 2760 svchost.exe Token: SeCreatePagefilePrivilege 2760 svchost.exe Token: SeShutdownPrivilege 2760 svchost.exe Token: SeCreatePagefilePrivilege 2760 svchost.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.execmd.exedescription pid process target process PID 3172 wrote to memory of 2992 3172 03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exe MediaCenter.exe PID 3172 wrote to memory of 2992 3172 03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exe MediaCenter.exe PID 3172 wrote to memory of 2992 3172 03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exe MediaCenter.exe PID 3172 wrote to memory of 4824 3172 03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exe cmd.exe PID 3172 wrote to memory of 4824 3172 03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exe cmd.exe PID 3172 wrote to memory of 4824 3172 03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exe cmd.exe PID 4824 wrote to memory of 4884 4824 cmd.exe PING.EXE PID 4824 wrote to memory of 4884 4824 cmd.exe PING.EXE PID 4824 wrote to memory of 4884 4824 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exe"C:\Users\Admin\AppData\Local\Temp\03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03d345aec5d62857c493005db9944c740187c8b2fea23246ec9a29a26a1c37ec.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4404
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d56f2f9a2004c0508c2c1dcfb53d81dd
SHA157e6734141b613844b154dcb9684175247fb6a49
SHA2568973674201d507c90c20008985fb1f5043b1e1709e0f5909cf054b9a55522241
SHA512ade248ccf69b122baa633267630e62f7306f91f9ac9b03868260ae867c1e82ae1b9684630b9216147b703be4444d9f93cbb70642e9dbe53563d3f759da38fc8e
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d56f2f9a2004c0508c2c1dcfb53d81dd
SHA157e6734141b613844b154dcb9684175247fb6a49
SHA2568973674201d507c90c20008985fb1f5043b1e1709e0f5909cf054b9a55522241
SHA512ade248ccf69b122baa633267630e62f7306f91f9ac9b03868260ae867c1e82ae1b9684630b9216147b703be4444d9f93cbb70642e9dbe53563d3f759da38fc8e
-
memory/2760-132-0x000002DBE8020000-0x000002DBE8030000-memory.dmpFilesize
64KB
-
memory/2760-133-0x000002DBE8080000-0x000002DBE8090000-memory.dmpFilesize
64KB
-
memory/2760-134-0x000002DBEA730000-0x000002DBEA734000-memory.dmpFilesize
16KB