Analysis
-
max time kernel
154s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:18
Static task
static1
Behavioral task
behavioral1
Sample
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe
Resource
win10v2004-en-20220113
General
-
Target
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe
-
Size
36KB
-
MD5
93f7152ef1a39ac22d4dd4a91ac4c7d8
-
SHA1
77cd97ce5baf5d09075c274c22dd4e2eb6648381
-
SHA256
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61
-
SHA512
ced2b0433ad0f193a8742fa5df01f2c7c5551d8ae6fd38acf1399f2ded045f542b54ed2e8b26b1cd1056052398a8de331d72e16c09343d4caf114c7047c8ee75
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 448 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2360 svchost.exe Token: SeCreatePagefilePrivilege 2360 svchost.exe Token: SeShutdownPrivilege 2360 svchost.exe Token: SeCreatePagefilePrivilege 2360 svchost.exe Token: SeShutdownPrivilege 2360 svchost.exe Token: SeCreatePagefilePrivilege 2360 svchost.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe Token: SeRestorePrivilege 112 TiWorker.exe Token: SeSecurityPrivilege 112 TiWorker.exe Token: SeBackupPrivilege 112 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.execmd.exedescription pid process target process PID 3016 wrote to memory of 448 3016 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe MediaCenter.exe PID 3016 wrote to memory of 448 3016 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe MediaCenter.exe PID 3016 wrote to memory of 448 3016 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe MediaCenter.exe PID 3016 wrote to memory of 4436 3016 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe cmd.exe PID 3016 wrote to memory of 4436 3016 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe cmd.exe PID 3016 wrote to memory of 4436 3016 0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe cmd.exe PID 4436 wrote to memory of 956 4436 cmd.exe PING.EXE PID 4436 wrote to memory of 956 4436 cmd.exe PING.EXE PID 4436 wrote to memory of 956 4436 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe"C:\Users\Admin\AppData\Local\Temp\0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0df866fb86b8c005c8a1203793532fb605a6e7f0880d85ce99abed58e15aba61.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
67fceca18e6cfcce5f2ff2fe9e842006
SHA17f336b6b58328b1977ab5531df4530ab61957850
SHA256e17a344088db72679770a494a3e3c304154d82b73fe86b05fb560348e1d89434
SHA512e04f25d93e5de34d598d4ae7a069adb575aae978ee40fce13945c6228089aea1f7ca5505cb5689afffd2c872aef5184a84dc57173907b068ae97676b2d7594b5
-
MD5
67fceca18e6cfcce5f2ff2fe9e842006
SHA17f336b6b58328b1977ab5531df4530ab61957850
SHA256e17a344088db72679770a494a3e3c304154d82b73fe86b05fb560348e1d89434
SHA512e04f25d93e5de34d598d4ae7a069adb575aae978ee40fce13945c6228089aea1f7ca5505cb5689afffd2c872aef5184a84dc57173907b068ae97676b2d7594b5