Analysis
-
max time kernel
153s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:26
Static task
static1
Behavioral task
behavioral1
Sample
0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe
Resource
win10v2004-en-20220113
General
-
Target
0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe
-
Size
36KB
-
MD5
7820fa15307cb7ce02052c6fbd9a6ee1
-
SHA1
73b91391fab770694e7f151d04e96134f98e96c0
-
SHA256
0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd
-
SHA512
654ed8cb4b376ce7967014bbeefcf9658fed73b1d0a451920a6616f6b74605b021b5780c988336e31a8a78d57719d83fc954451804f1498d7d96c749ff9c1671
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4888 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2884 svchost.exe Token: SeCreatePagefilePrivilege 2884 svchost.exe Token: SeShutdownPrivilege 2884 svchost.exe Token: SeCreatePagefilePrivilege 2884 svchost.exe Token: SeShutdownPrivilege 2884 svchost.exe Token: SeCreatePagefilePrivilege 2884 svchost.exe Token: SeIncBasePriorityPrivilege 1488 0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe Token: SeBackupPrivilege 5092 TiWorker.exe Token: SeRestorePrivilege 5092 TiWorker.exe Token: SeSecurityPrivilege 5092 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.execmd.exedescription pid process target process PID 1488 wrote to memory of 4888 1488 0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe MediaCenter.exe PID 1488 wrote to memory of 4888 1488 0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe MediaCenter.exe PID 1488 wrote to memory of 4888 1488 0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe MediaCenter.exe PID 1488 wrote to memory of 1876 1488 0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe cmd.exe PID 1488 wrote to memory of 1876 1488 0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe cmd.exe PID 1488 wrote to memory of 1876 1488 0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe cmd.exe PID 1876 wrote to memory of 2320 1876 cmd.exe PING.EXE PID 1876 wrote to memory of 2320 1876 cmd.exe PING.EXE PID 1876 wrote to memory of 2320 1876 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe"C:\Users\Admin\AppData\Local\Temp\0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ffd3356c933d26327d5ec17145c6563b16d32ebe81ae1896abb725891724fbd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dd9ba92b3fe2614b6d07edddc26a4554
SHA1ec48edf5b85e8fcfed254e6d2b7bb7a781cad1b7
SHA256da49e62e94a9de5493b5c621519d3429a9ee2772769b59d3056152c73ff8fd35
SHA512754f333072a242b57ef509b92efa72d20542514836760bfc33ea72020d8848338d869a7eaab4cadb1dc864bd65a36eca73a45eb294eb46a0e6e02a7fe91feb3e
-
MD5
dd9ba92b3fe2614b6d07edddc26a4554
SHA1ec48edf5b85e8fcfed254e6d2b7bb7a781cad1b7
SHA256da49e62e94a9de5493b5c621519d3429a9ee2772769b59d3056152c73ff8fd35
SHA512754f333072a242b57ef509b92efa72d20542514836760bfc33ea72020d8848338d869a7eaab4cadb1dc864bd65a36eca73a45eb294eb46a0e6e02a7fe91feb3e