Analysis
-
max time kernel
151s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:16
Static task
static1
Behavioral task
behavioral1
Sample
0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe
Resource
win10v2004-en-20220113
General
-
Target
0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe
-
Size
36KB
-
MD5
c6f53a66b71af0fef1597a0bc8bc39d0
-
SHA1
fd2279f8ff9bf84b972ebfe89426dbfc85d45436
-
SHA256
0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf
-
SHA512
bbda77b66ee13231203fd10e5687a011733a9178788c04f468797d960785dd36160d6dd7dcd83ea2cf5ce5ca618becb1b06424d3c696d0f079bb4f3e5501f731
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4644 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2464 svchost.exe Token: SeCreatePagefilePrivilege 2464 svchost.exe Token: SeShutdownPrivilege 2464 svchost.exe Token: SeCreatePagefilePrivilege 2464 svchost.exe Token: SeShutdownPrivilege 2464 svchost.exe Token: SeCreatePagefilePrivilege 2464 svchost.exe Token: SeIncBasePriorityPrivilege 3584 0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.execmd.exedescription pid process target process PID 3584 wrote to memory of 4644 3584 0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe MediaCenter.exe PID 3584 wrote to memory of 4644 3584 0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe MediaCenter.exe PID 3584 wrote to memory of 4644 3584 0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe MediaCenter.exe PID 3584 wrote to memory of 2112 3584 0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe cmd.exe PID 3584 wrote to memory of 2112 3584 0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe cmd.exe PID 3584 wrote to memory of 2112 3584 0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe cmd.exe PID 2112 wrote to memory of 4100 2112 cmd.exe PING.EXE PID 2112 wrote to memory of 4100 2112 cmd.exe PING.EXE PID 2112 wrote to memory of 4100 2112 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe"C:\Users\Admin\AppData\Local\Temp\0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e178d82c7002942a9cc30a5d8c0c20ae7afa3df3623f00bd3e42b9fc901d5cf.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8081374a1e4f293e4af4843ad4e9a281
SHA10dbadabb6bf1c226e46bc07b9b5d0385296ccf3a
SHA25678e1650166eab2cc897e369fd321c56db5aa92e9d4cde08f54caf3c8482f47ec
SHA512539a123cd6739036de8717ceac306138078197d28b368cffb9cb64e94439b004ecda258abaf7a329776d130bd3e427a382358b4ae54012fd7d4ee316a017975f
-
MD5
8081374a1e4f293e4af4843ad4e9a281
SHA10dbadabb6bf1c226e46bc07b9b5d0385296ccf3a
SHA25678e1650166eab2cc897e369fd321c56db5aa92e9d4cde08f54caf3c8482f47ec
SHA512539a123cd6739036de8717ceac306138078197d28b368cffb9cb64e94439b004ecda258abaf7a329776d130bd3e427a382358b4ae54012fd7d4ee316a017975f