Analysis
-
max time kernel
149s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:24
Static task
static1
Behavioral task
behavioral1
Sample
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe
Resource
win10v2004-en-20220113
General
-
Target
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe
-
Size
36KB
-
MD5
4c7f8abdd3b67a73d556955f98b5b534
-
SHA1
c49b907216a8efe23a5b0426a458738f9574ab08
-
SHA256
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74
-
SHA512
c619402fc4f5509cea1471cd64323fc18a210a02d8ea04ac5d2fa278c10b1ae5a9611747dde102009c368a0b2433856e4cde5ca338a2bb60727d7a7eb6b098c9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2752 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2764 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe Token: SeShutdownPrivilege 480 svchost.exe Token: SeCreatePagefilePrivilege 480 svchost.exe Token: SeShutdownPrivilege 480 svchost.exe Token: SeCreatePagefilePrivilege 480 svchost.exe Token: SeShutdownPrivilege 480 svchost.exe Token: SeCreatePagefilePrivilege 480 svchost.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.execmd.exedescription pid process target process PID 2764 wrote to memory of 2752 2764 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe MediaCenter.exe PID 2764 wrote to memory of 2752 2764 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe MediaCenter.exe PID 2764 wrote to memory of 2752 2764 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe MediaCenter.exe PID 2764 wrote to memory of 4536 2764 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe cmd.exe PID 2764 wrote to memory of 4536 2764 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe cmd.exe PID 2764 wrote to memory of 4536 2764 0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe cmd.exe PID 4536 wrote to memory of 520 4536 cmd.exe PING.EXE PID 4536 wrote to memory of 520 4536 cmd.exe PING.EXE PID 4536 wrote to memory of 520 4536 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe"C:\Users\Admin\AppData\Local\Temp\0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0db0e54e14e9e9a74590c5b0f4b1283f89e82edf7dd49cb9fd80c4752a482f74.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:480
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
451d9c6c0412117983a7e53ecb8c6575
SHA19be71933e9abc562fe3d248147f1610315b92452
SHA256f764c5c46a171273f26e82db37960e1d960afff1d627bed24c6b684a9cc80aaf
SHA51285f88fe9ad97dcebbab6cbe263fc6e1588af64ca672ff4d6245fdfd24f8c486cead91dc0d26ad79169068739b53261af81f2a47065ea318ccc9accfd14d22bb0
-
MD5
451d9c6c0412117983a7e53ecb8c6575
SHA19be71933e9abc562fe3d248147f1610315b92452
SHA256f764c5c46a171273f26e82db37960e1d960afff1d627bed24c6b684a9cc80aaf
SHA51285f88fe9ad97dcebbab6cbe263fc6e1588af64ca672ff4d6245fdfd24f8c486cead91dc0d26ad79169068739b53261af81f2a47065ea318ccc9accfd14d22bb0