Analysis
-
max time kernel
140s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:43
Static task
static1
Behavioral task
behavioral1
Sample
03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe
Resource
win10v2004-en-20220113
General
-
Target
03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe
-
Size
60KB
-
MD5
0e5445b6d559123a977bb6a825fbbfed
-
SHA1
b850f6cdb5ace11016415888a31b5b585c01a935
-
SHA256
03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381
-
SHA512
bf45d9ef0dfdab99d3c86a24835565988caa5682c01ad1e778bcca71b0661ecf465fa86a9bff5890cc7177f34b0cc1ae4b711797c66de57785e2cd13cc6ad855
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4056 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exedescription pid process Token: SeShutdownPrivilege 1736 svchost.exe Token: SeCreatePagefilePrivilege 1736 svchost.exe Token: SeShutdownPrivilege 1736 svchost.exe Token: SeCreatePagefilePrivilege 1736 svchost.exe Token: SeShutdownPrivilege 1736 svchost.exe Token: SeCreatePagefilePrivilege 1736 svchost.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeIncBasePriorityPrivilege 3656 03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe Token: SeBackupPrivilege 1380 TiWorker.exe Token: SeRestorePrivilege 1380 TiWorker.exe Token: SeSecurityPrivilege 1380 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.execmd.exedescription pid process target process PID 3656 wrote to memory of 4056 3656 03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe MediaCenter.exe PID 3656 wrote to memory of 4056 3656 03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe MediaCenter.exe PID 3656 wrote to memory of 4056 3656 03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe MediaCenter.exe PID 3656 wrote to memory of 2940 3656 03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe cmd.exe PID 3656 wrote to memory of 2940 3656 03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe cmd.exe PID 3656 wrote to memory of 2940 3656 03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe cmd.exe PID 2940 wrote to memory of 1532 2940 cmd.exe PING.EXE PID 2940 wrote to memory of 1532 2940 cmd.exe PING.EXE PID 2940 wrote to memory of 1532 2940 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe"C:\Users\Admin\AppData\Local\Temp\03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03970670720f945125ee653a950fbede015601a40376c781f1ead685fa3f3381.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b72ec62b582420bffa57f68eb6728335
SHA1cadfa54f3e0a945119defebb52cf26475c2677b3
SHA25607681ce83170a40a753e3b8078e70b89619f98286e17cf7b3c9ea6b3499cd4e2
SHA512b30b2c39568a43357f9f51b1c8d66349e36c5907551d46132751998e5be7521cded91e8fa5f3c1a1b82299df7b6627dc7546d67a97cd2b0a834ce9f5f056b575
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b72ec62b582420bffa57f68eb6728335
SHA1cadfa54f3e0a945119defebb52cf26475c2677b3
SHA25607681ce83170a40a753e3b8078e70b89619f98286e17cf7b3c9ea6b3499cd4e2
SHA512b30b2c39568a43357f9f51b1c8d66349e36c5907551d46132751998e5be7521cded91e8fa5f3c1a1b82299df7b6627dc7546d67a97cd2b0a834ce9f5f056b575
-
memory/1736-135-0x000001DD43130000-0x000001DD43140000-memory.dmpFilesize
64KB
-
memory/1736-136-0x000001DD43190000-0x000001DD431A0000-memory.dmpFilesize
64KB
-
memory/1736-137-0x000001DD45E90000-0x000001DD45E94000-memory.dmpFilesize
16KB