Analysis
-
max time kernel
148s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:14
Static task
static1
Behavioral task
behavioral1
Sample
0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe
Resource
win10v2004-en-20220113
General
-
Target
0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe
-
Size
60KB
-
MD5
44c4ffee7df85e235384277fa0d85bb3
-
SHA1
81faacb91044693c1ad33e0966890696156eee32
-
SHA256
0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a
-
SHA512
a179486f476acab50fb22ae575486a7ad51f3fe32a688c9cf8729d55ce20a7a3ea9840aac05cc98c0cb13c89bff5e803a10bf5f4275a702f99845c217cba70ce
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3148 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2396 svchost.exe Token: SeCreatePagefilePrivilege 2396 svchost.exe Token: SeShutdownPrivilege 2396 svchost.exe Token: SeCreatePagefilePrivilege 2396 svchost.exe Token: SeShutdownPrivilege 2396 svchost.exe Token: SeCreatePagefilePrivilege 2396 svchost.exe Token: SeIncBasePriorityPrivilege 4940 0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.execmd.exedescription pid process target process PID 4940 wrote to memory of 3148 4940 0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe MediaCenter.exe PID 4940 wrote to memory of 3148 4940 0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe MediaCenter.exe PID 4940 wrote to memory of 3148 4940 0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe MediaCenter.exe PID 4940 wrote to memory of 4744 4940 0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe cmd.exe PID 4940 wrote to memory of 4744 4940 0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe cmd.exe PID 4940 wrote to memory of 4744 4940 0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe cmd.exe PID 4744 wrote to memory of 2628 4744 cmd.exe PING.EXE PID 4744 wrote to memory of 2628 4744 cmd.exe PING.EXE PID 4744 wrote to memory of 2628 4744 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe"C:\Users\Admin\AppData\Local\Temp\0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e261ea9135232c1e44b01e117e1eaf3133b999787533f9e4ca5c8b4267ceb9a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1228
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c5af263a07ddd45e99e9d3b55d8aae28
SHA16f76e65a8b1e885323b415b84b5552f7fb93b3fc
SHA25614eff0571388eee03a5f2df61e15cf5e998fbcfe8c8b0830b27aeacf84d867a4
SHA512fcf665c32a7cc59b8cf7f88d9e11ad98872381819376e66f28da83b6d682eab65cb2cffeee796607ee28a397de35c4aea44c493a685c7c55dd28d701aa249ba1
-
MD5
c5af263a07ddd45e99e9d3b55d8aae28
SHA16f76e65a8b1e885323b415b84b5552f7fb93b3fc
SHA25614eff0571388eee03a5f2df61e15cf5e998fbcfe8c8b0830b27aeacf84d867a4
SHA512fcf665c32a7cc59b8cf7f88d9e11ad98872381819376e66f28da83b6d682eab65cb2cffeee796607ee28a397de35c4aea44c493a685c7c55dd28d701aa249ba1