Analysis
-
max time kernel
146s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:26
Static task
static1
Behavioral task
behavioral1
Sample
0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe
Resource
win10v2004-en-20220113
General
-
Target
0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe
-
Size
60KB
-
MD5
8fdfdfb77d5f5c30aefbacc62c921d30
-
SHA1
80e72ba96a8a51ce827b2a202a99d08abb382377
-
SHA256
0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215
-
SHA512
0a9ec4105665125e8acd437a42c5ab6dfc72370c72af07a10b22cb4ca0e905884fed50ca32eb8f0764af550c5fad85dbf45ea0102fc14accbd5858a1f404f548
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 760 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 376 svchost.exe Token: SeCreatePagefilePrivilege 376 svchost.exe Token: SeShutdownPrivilege 376 svchost.exe Token: SeCreatePagefilePrivilege 376 svchost.exe Token: SeShutdownPrivilege 376 svchost.exe Token: SeCreatePagefilePrivilege 376 svchost.exe Token: SeIncBasePriorityPrivilege 3124 0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.execmd.exedescription pid process target process PID 3124 wrote to memory of 760 3124 0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe MediaCenter.exe PID 3124 wrote to memory of 760 3124 0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe MediaCenter.exe PID 3124 wrote to memory of 760 3124 0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe MediaCenter.exe PID 3124 wrote to memory of 3840 3124 0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe cmd.exe PID 3124 wrote to memory of 3840 3124 0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe cmd.exe PID 3124 wrote to memory of 3840 3124 0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe cmd.exe PID 3840 wrote to memory of 432 3840 cmd.exe PING.EXE PID 3840 wrote to memory of 432 3840 cmd.exe PING.EXE PID 3840 wrote to memory of 432 3840 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe"C:\Users\Admin\AppData\Local\Temp\0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ffad3e898a7ccf294a879b6a6436984a7a53f125cb5916f0c0936fe55d4b215.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:376
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7d72a88b51748c7aa53fd1449da8d478
SHA1e5f0f19f6a95379ce063af54c0fd1e416ef2d5a1
SHA256f6d7763fab11cb9371b4838cc66270900a52c27866bf7cae2e7f5236f5feb0c5
SHA51267c009e77d720f4c4080aa95622be2207867a9f9b811495839cfd69154a063bb7fbc8b86771cd6500e85aa4507c374258351665e62f4b3f1e549c32039281de1
-
MD5
7d72a88b51748c7aa53fd1449da8d478
SHA1e5f0f19f6a95379ce063af54c0fd1e416ef2d5a1
SHA256f6d7763fab11cb9371b4838cc66270900a52c27866bf7cae2e7f5236f5feb0c5
SHA51267c009e77d720f4c4080aa95622be2207867a9f9b811495839cfd69154a063bb7fbc8b86771cd6500e85aa4507c374258351665e62f4b3f1e549c32039281de1