Analysis
-
max time kernel
149s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 12:12
Static task
static1
Behavioral task
behavioral1
Sample
023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe
Resource
win10v2004-en-20220113
General
-
Target
023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe
-
Size
60KB
-
MD5
c12c164fadc9dc2fbde19835dbedcfd9
-
SHA1
e495ab36c0c00c618b30c451c977acf3a0aaa5eb
-
SHA256
023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f
-
SHA512
fef09c35f447e978a79f64c470812028c144f683f181a9c2d05ce12fa729eec026f974e2516281309a8c4e8196e282fc5cbbb38485d30dbf7e0cf5aa5ebf8fac
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3492 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exedescription pid process Token: SeShutdownPrivilege 4844 svchost.exe Token: SeCreatePagefilePrivilege 4844 svchost.exe Token: SeShutdownPrivilege 4844 svchost.exe Token: SeCreatePagefilePrivilege 4844 svchost.exe Token: SeShutdownPrivilege 4844 svchost.exe Token: SeCreatePagefilePrivilege 4844 svchost.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeIncBasePriorityPrivilege 1288 023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe Token: SeBackupPrivilege 2840 TiWorker.exe Token: SeRestorePrivilege 2840 TiWorker.exe Token: SeSecurityPrivilege 2840 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.execmd.exedescription pid process target process PID 1288 wrote to memory of 3492 1288 023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe MediaCenter.exe PID 1288 wrote to memory of 3492 1288 023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe MediaCenter.exe PID 1288 wrote to memory of 3492 1288 023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe MediaCenter.exe PID 1288 wrote to memory of 4312 1288 023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe cmd.exe PID 1288 wrote to memory of 4312 1288 023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe cmd.exe PID 1288 wrote to memory of 4312 1288 023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe cmd.exe PID 4312 wrote to memory of 1048 4312 cmd.exe PING.EXE PID 4312 wrote to memory of 1048 4312 cmd.exe PING.EXE PID 4312 wrote to memory of 1048 4312 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe"C:\Users\Admin\AppData\Local\Temp\023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\023c44af72b9096439765645a246d69f6ebf8b71bf340f6a641501114cd3be9f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2840
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7a2a05caebb38c28f9b3ffdbcc8d7965
SHA119061a5c24c5896496059638c07f9b8c98c8aae0
SHA256246e654e4223e84b55719e78998ad3eb14fd2b60c8476278015d95a83583dcaa
SHA512596107ddd59b0b75d311592001bc1ab7b7ad811ffeb5143cfd9539ef0c5f9dc874103dbd65f24e14561342a4c720562aa4d3bdd4acd396814fed2adc3dda49a2
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7a2a05caebb38c28f9b3ffdbcc8d7965
SHA119061a5c24c5896496059638c07f9b8c98c8aae0
SHA256246e654e4223e84b55719e78998ad3eb14fd2b60c8476278015d95a83583dcaa
SHA512596107ddd59b0b75d311592001bc1ab7b7ad811ffeb5143cfd9539ef0c5f9dc874103dbd65f24e14561342a4c720562aa4d3bdd4acd396814fed2adc3dda49a2
-
memory/4844-132-0x000001D274BA0000-0x000001D274BB0000-memory.dmpFilesize
64KB
-
memory/4844-133-0x000001D275380000-0x000001D275390000-memory.dmpFilesize
64KB
-
memory/4844-134-0x000001D277F80000-0x000001D277F84000-memory.dmpFilesize
16KB