Analysis
-
max time kernel
134s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:36
Static task
static1
Behavioral task
behavioral1
Sample
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe
Resource
win10v2004-en-20220113
General
-
Target
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe
-
Size
36KB
-
MD5
f7e1c5bc2f865c8eca74bc47622149ad
-
SHA1
c9dc62e8961b976f9be1941ce31063dd5c38a72a
-
SHA256
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449
-
SHA512
9f4bbd20a5e6d33ef593bb3e468733ac3b0cfc33b26c48a3d65cfff8178dff4e0ac71fd76bc5722733dc0fa9c83b6270df832cae2a931a16ca55c2182161143c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3980 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4164 svchost.exe Token: SeCreatePagefilePrivilege 4164 svchost.exe Token: SeShutdownPrivilege 4164 svchost.exe Token: SeCreatePagefilePrivilege 4164 svchost.exe Token: SeShutdownPrivilege 4164 svchost.exe Token: SeCreatePagefilePrivilege 4164 svchost.exe Token: SeIncBasePriorityPrivilege 4704 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.execmd.exedescription pid process target process PID 4704 wrote to memory of 3980 4704 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe MediaCenter.exe PID 4704 wrote to memory of 3980 4704 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe MediaCenter.exe PID 4704 wrote to memory of 3980 4704 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe MediaCenter.exe PID 4704 wrote to memory of 628 4704 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe cmd.exe PID 4704 wrote to memory of 628 4704 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe cmd.exe PID 4704 wrote to memory of 628 4704 0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe cmd.exe PID 628 wrote to memory of 1472 628 cmd.exe PING.EXE PID 628 wrote to memory of 1472 628 cmd.exe PING.EXE PID 628 wrote to memory of 1472 628 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe"C:\Users\Admin\AppData\Local\Temp\0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f8294409b3e2074948c3ffb85cad41216574d8236a7693d8d8b87465eb60449.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4e8ab1b9e6bcbb694263906c4defe29d
SHA13787d96b4d4e468051ca66d0dbacbdae62ae4bae
SHA256baf59e35b910a9599139243a7f3a999ff9ff5d56a15d709286e050d34d8ad4db
SHA5128254f3367c48a131bd318779671fbe9ca70bb057de471b0603694182406de6c9e3d52d08bb1fa74397ea73d02a142ff4eab76e12ec30ca0abd52bdf067d4388c
-
MD5
4e8ab1b9e6bcbb694263906c4defe29d
SHA13787d96b4d4e468051ca66d0dbacbdae62ae4bae
SHA256baf59e35b910a9599139243a7f3a999ff9ff5d56a15d709286e050d34d8ad4db
SHA5128254f3367c48a131bd318779671fbe9ca70bb057de471b0603694182406de6c9e3d52d08bb1fa74397ea73d02a142ff4eab76e12ec30ca0abd52bdf067d4388c