Analysis
-
max time kernel
127s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:23
Static task
static1
Behavioral task
behavioral1
Sample
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe
Resource
win10v2004-en-20220113
General
-
Target
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe
-
Size
60KB
-
MD5
9a47f4bd505259886f621f5e37741f44
-
SHA1
0bface989cd105a72a6cc97cfe0c7d586e950d8b
-
SHA256
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f
-
SHA512
60e2339aa6f3d664f89786a11c013f0201d898953c28acac52151e2f1e429eafa4a8bf624b2868b118e71fe13fc9b2049d5d5abf0fd7a0535f562ff39d01ebb9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4044 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4884 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe Token: SeShutdownPrivilege 544 svchost.exe Token: SeCreatePagefilePrivilege 544 svchost.exe Token: SeShutdownPrivilege 544 svchost.exe Token: SeCreatePagefilePrivilege 544 svchost.exe Token: SeShutdownPrivilege 544 svchost.exe Token: SeCreatePagefilePrivilege 544 svchost.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe Token: SeBackupPrivilege 3668 TiWorker.exe Token: SeRestorePrivilege 3668 TiWorker.exe Token: SeSecurityPrivilege 3668 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.execmd.exedescription pid process target process PID 4884 wrote to memory of 4044 4884 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe MediaCenter.exe PID 4884 wrote to memory of 4044 4884 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe MediaCenter.exe PID 4884 wrote to memory of 4044 4884 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe MediaCenter.exe PID 4884 wrote to memory of 3392 4884 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe cmd.exe PID 4884 wrote to memory of 3392 4884 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe cmd.exe PID 4884 wrote to memory of 3392 4884 0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe cmd.exe PID 3392 wrote to memory of 220 3392 cmd.exe PING.EXE PID 3392 wrote to memory of 220 3392 cmd.exe PING.EXE PID 3392 wrote to memory of 220 3392 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe"C:\Users\Admin\AppData\Local\Temp\0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dbe1de2c7be4f37ab9021693bc53d6c7654c4d4973f01ce39abd29ed258543f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:544
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3668
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8960eadc7a02b6196246c22229d44687
SHA13a77315a2e4b2015fe2e0592a0c498905a770391
SHA2569d4abdd2467b9bebabc2ec98a0d12b95ea6d76f0f655b3929d5cbcc45c116df1
SHA5126140e649ccc46103a514cf7bde835e0cfbf9683715575e2158f1cb37889eb838397ab15a8383bb42f0bef2318a8f38363cc6fe4645af3c2af3f7b3e7b8688d76
-
MD5
8960eadc7a02b6196246c22229d44687
SHA13a77315a2e4b2015fe2e0592a0c498905a770391
SHA2569d4abdd2467b9bebabc2ec98a0d12b95ea6d76f0f655b3929d5cbcc45c116df1
SHA5126140e649ccc46103a514cf7bde835e0cfbf9683715575e2158f1cb37889eb838397ab15a8383bb42f0bef2318a8f38363cc6fe4645af3c2af3f7b3e7b8688d76