Analysis
-
max time kernel
135s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:28
Static task
static1
Behavioral task
behavioral1
Sample
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe
Resource
win10v2004-en-20220113
General
-
Target
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe
-
Size
58KB
-
MD5
7e8dfa736952b906c1d426bc47a9cf26
-
SHA1
56bf1064f3f8b7902baa3d808709379960bf43f4
-
SHA256
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914
-
SHA512
d48524bc5ccd2751317d819e3925ea9a66af0586e6abfca8b451860e5b963d98b020cde24f84d29f4a51fcf3e7067400c3c2eca72216865320e4fc136bf25f6e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 5000 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 524 svchost.exe Token: SeCreatePagefilePrivilege 524 svchost.exe Token: SeShutdownPrivilege 524 svchost.exe Token: SeCreatePagefilePrivilege 524 svchost.exe Token: SeShutdownPrivilege 524 svchost.exe Token: SeCreatePagefilePrivilege 524 svchost.exe Token: SeIncBasePriorityPrivilege 3600 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.execmd.exedescription pid process target process PID 3600 wrote to memory of 5000 3600 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe MediaCenter.exe PID 3600 wrote to memory of 5000 3600 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe MediaCenter.exe PID 3600 wrote to memory of 5000 3600 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe MediaCenter.exe PID 3600 wrote to memory of 4652 3600 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe cmd.exe PID 3600 wrote to memory of 4652 3600 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe cmd.exe PID 3600 wrote to memory of 4652 3600 0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe cmd.exe PID 4652 wrote to memory of 736 4652 cmd.exe PING.EXE PID 4652 wrote to memory of 736 4652 cmd.exe PING.EXE PID 4652 wrote to memory of 736 4652 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe"C:\Users\Admin\AppData\Local\Temp\0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fedc7dc4ab522c8847cbe0418e8c60640ed90fefbe8d38d1b00e72122bde914.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:524
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e6aad5b7e76574b0cb0439f4e0a1af48
SHA1873ad0dd33aceea45aaba8cbf61cc43c6824b8f0
SHA25653df96365d5304159354b8e365d085904ee7e699bd304a9b50ecf1911da933bc
SHA5126d28bda440cb79464a09fc5e9de3d369a1cf3091be0c2fa57cb0cfc35ffadf5efc291a124c272ecd68fdd58945283bd1b1626209a400485750e34551ac9aaaa2
-
MD5
e6aad5b7e76574b0cb0439f4e0a1af48
SHA1873ad0dd33aceea45aaba8cbf61cc43c6824b8f0
SHA25653df96365d5304159354b8e365d085904ee7e699bd304a9b50ecf1911da933bc
SHA5126d28bda440cb79464a09fc5e9de3d369a1cf3091be0c2fa57cb0cfc35ffadf5efc291a124c272ecd68fdd58945283bd1b1626209a400485750e34551ac9aaaa2