Analysis
-
max time kernel
154s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:15
Static task
static1
Behavioral task
behavioral1
Sample
0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe
Resource
win10v2004-en-20220113
General
-
Target
0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe
-
Size
58KB
-
MD5
853fbd3bcea827937815a937a3d3c32f
-
SHA1
b34b66e65507e2b3413728d8965279cb737308b1
-
SHA256
0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365
-
SHA512
49e4b577ea31b520df811370dc21db0daf23e2f2b708a68bbfe166072407d0eea5b1d30d43669f1637c32139b069fed532149717b8b7b317d0286bbf852d2bf9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 5008 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3772 0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe Token: SeShutdownPrivilege 4540 svchost.exe Token: SeCreatePagefilePrivilege 4540 svchost.exe Token: SeShutdownPrivilege 4540 svchost.exe Token: SeCreatePagefilePrivilege 4540 svchost.exe Token: SeShutdownPrivilege 4540 svchost.exe Token: SeCreatePagefilePrivilege 4540 svchost.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe Token: SeBackupPrivilege 3008 TiWorker.exe Token: SeRestorePrivilege 3008 TiWorker.exe Token: SeSecurityPrivilege 3008 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.execmd.exedescription pid process target process PID 3772 wrote to memory of 5008 3772 0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe MediaCenter.exe PID 3772 wrote to memory of 5008 3772 0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe MediaCenter.exe PID 3772 wrote to memory of 5008 3772 0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe MediaCenter.exe PID 3772 wrote to memory of 1020 3772 0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe cmd.exe PID 3772 wrote to memory of 1020 3772 0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe cmd.exe PID 3772 wrote to memory of 1020 3772 0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe cmd.exe PID 1020 wrote to memory of 4332 1020 cmd.exe PING.EXE PID 1020 wrote to memory of 4332 1020 cmd.exe PING.EXE PID 1020 wrote to memory of 4332 1020 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe"C:\Users\Admin\AppData\Local\Temp\0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
564f1717aa53498f9f3de395cc7cc3a5
SHA164b5d94b33630d7bcc4d74cf94b3a92702d3ea2e
SHA256218228faa30be651f78e190895258ac47e11f1dd6d467c0957c347c397dfa2f1
SHA512af1aecd64fa034f8de5b9f38a86f4f9163753267c639398ad34f9d58b9e79ef74468e199b9849b50a9b69a39bb401e97cf7bfb7bb5a0f8962e17d14827a10a3d
-
MD5
564f1717aa53498f9f3de395cc7cc3a5
SHA164b5d94b33630d7bcc4d74cf94b3a92702d3ea2e
SHA256218228faa30be651f78e190895258ac47e11f1dd6d467c0957c347c397dfa2f1
SHA512af1aecd64fa034f8de5b9f38a86f4f9163753267c639398ad34f9d58b9e79ef74468e199b9849b50a9b69a39bb401e97cf7bfb7bb5a0f8962e17d14827a10a3d