Analysis
-
max time kernel
134s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:44
Static task
static1
Behavioral task
behavioral1
Sample
03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe
Resource
win10v2004-en-20220113
General
-
Target
03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe
-
Size
36KB
-
MD5
927581d1e2eed41693a596529a5e855e
-
SHA1
dc6c5d1b2be71dfcf9c04f21da10ea52a945543b
-
SHA256
03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4
-
SHA512
da0af69b41d97d9db9b19724c7c74abc51ed4e876b392af5643260836bce896cbc899e65c9cd9370c5b4821006212fb747b094b1b794a497c3b7035e36ef9e2a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1960 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3584 svchost.exe Token: SeCreatePagefilePrivilege 3584 svchost.exe Token: SeShutdownPrivilege 3584 svchost.exe Token: SeCreatePagefilePrivilege 3584 svchost.exe Token: SeShutdownPrivilege 3584 svchost.exe Token: SeCreatePagefilePrivilege 3584 svchost.exe Token: SeIncBasePriorityPrivilege 1240 03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.execmd.exedescription pid process target process PID 1240 wrote to memory of 1960 1240 03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe MediaCenter.exe PID 1240 wrote to memory of 1960 1240 03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe MediaCenter.exe PID 1240 wrote to memory of 1960 1240 03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe MediaCenter.exe PID 1240 wrote to memory of 3176 1240 03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe cmd.exe PID 1240 wrote to memory of 3176 1240 03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe cmd.exe PID 1240 wrote to memory of 3176 1240 03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe cmd.exe PID 3176 wrote to memory of 2680 3176 cmd.exe PING.EXE PID 3176 wrote to memory of 2680 3176 cmd.exe PING.EXE PID 3176 wrote to memory of 2680 3176 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe"C:\Users\Admin\AppData\Local\Temp\03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03862318389d7cf25bbaf0ebf80decd89cb42ab1732ed976ad3dfa84080305f4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3344
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5a85c2a3df054d2950f92e9b5d78efca
SHA196d5852484fe597d1bfb07661db2bf097a3a01f9
SHA256dfbe960f61284a289fccc49631741bc65bfde41ef83e005134260026aab94bd5
SHA512dc1766b584b2925127abe28d2328362b45220e922027bd4ff77bb3290eecb72702ffc58cbaa79370bfbd118bfb6281caf454838ebe2cb83ff3acc20c3cccde2d
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5a85c2a3df054d2950f92e9b5d78efca
SHA196d5852484fe597d1bfb07661db2bf097a3a01f9
SHA256dfbe960f61284a289fccc49631741bc65bfde41ef83e005134260026aab94bd5
SHA512dc1766b584b2925127abe28d2328362b45220e922027bd4ff77bb3290eecb72702ffc58cbaa79370bfbd118bfb6281caf454838ebe2cb83ff3acc20c3cccde2d
-
memory/3584-132-0x00000253DFF20000-0x00000253DFF30000-memory.dmpFilesize
64KB
-
memory/3584-133-0x00000253DFF80000-0x00000253DFF90000-memory.dmpFilesize
64KB
-
memory/3584-134-0x00000253E2640000-0x00000253E2644000-memory.dmpFilesize
16KB