Analysis
-
max time kernel
131s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:29
Static task
static1
Behavioral task
behavioral1
Sample
0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe
Resource
win10v2004-en-20220113
General
-
Target
0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe
-
Size
60KB
-
MD5
1dfbddf013edb1383cf8faed6546e2df
-
SHA1
0255db0ad1e64d9af9155a9ea2042583f6e8f15d
-
SHA256
0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813
-
SHA512
b1e17eb017f1db3e7d0eee347492c3b3f6abce90206981453a357e77ab7ede4a29035398311e9243dbea82c5dc0bdb7fc248470e97372989f221c4048ae01c1c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4592 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 792 svchost.exe Token: SeCreatePagefilePrivilege 792 svchost.exe Token: SeShutdownPrivilege 792 svchost.exe Token: SeCreatePagefilePrivilege 792 svchost.exe Token: SeShutdownPrivilege 792 svchost.exe Token: SeCreatePagefilePrivilege 792 svchost.exe Token: SeIncBasePriorityPrivilege 1540 0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.execmd.exedescription pid process target process PID 1540 wrote to memory of 4592 1540 0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe MediaCenter.exe PID 1540 wrote to memory of 4592 1540 0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe MediaCenter.exe PID 1540 wrote to memory of 4592 1540 0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe MediaCenter.exe PID 1540 wrote to memory of 3080 1540 0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe cmd.exe PID 1540 wrote to memory of 3080 1540 0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe cmd.exe PID 1540 wrote to memory of 3080 1540 0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe cmd.exe PID 3080 wrote to memory of 4980 3080 cmd.exe PING.EXE PID 3080 wrote to memory of 4980 3080 cmd.exe PING.EXE PID 3080 wrote to memory of 4980 3080 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe"C:\Users\Admin\AppData\Local\Temp\0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fd709aa8bd53c6973f5ddc829b0309cefeb5e81565b857f04a9c1c1eaba8813.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:792
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f06307a4445b852cf8be5c109e62b683
SHA165a9f8516de909a00364033c54da096d82a50533
SHA256b954a60aa412ebd58ecfc1ca185dee0348d629ad0a20524bac2e3b9872b38ac0
SHA512d64ebd191cf3285245093ec78af778eaf83648aa3c9072621fa13400a6fe9703c0905e51711ae301034042491925c501868016cefa415343c2d1a21a7c4bcb4b
-
MD5
f06307a4445b852cf8be5c109e62b683
SHA165a9f8516de909a00364033c54da096d82a50533
SHA256b954a60aa412ebd58ecfc1ca185dee0348d629ad0a20524bac2e3b9872b38ac0
SHA512d64ebd191cf3285245093ec78af778eaf83648aa3c9072621fa13400a6fe9703c0905e51711ae301034042491925c501868016cefa415343c2d1a21a7c4bcb4b