Analysis
-
max time kernel
158s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:41
Static task
static1
Behavioral task
behavioral1
Sample
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe
Resource
win10v2004-en-20220113
General
-
Target
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe
-
Size
60KB
-
MD5
82b64f2a0fc8162f7eb27dd8aceef28e
-
SHA1
b229e8e9567aa09bb93cff460a7c12102562e459
-
SHA256
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90
-
SHA512
5fb8dbf911476fb0b83b00e975fa689aa82119437910ca5a3f7ad7b9b16d462e3c521d5700ec0a35662cae9859bb76b45b8f3832d2bab54a388a8ebe2bc56133
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 544 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1584 svchost.exe Token: SeCreatePagefilePrivilege 1584 svchost.exe Token: SeShutdownPrivilege 1584 svchost.exe Token: SeCreatePagefilePrivilege 1584 svchost.exe Token: SeShutdownPrivilege 1584 svchost.exe Token: SeCreatePagefilePrivilege 1584 svchost.exe Token: SeIncBasePriorityPrivilege 4680 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.execmd.exedescription pid process target process PID 4680 wrote to memory of 544 4680 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe MediaCenter.exe PID 4680 wrote to memory of 544 4680 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe MediaCenter.exe PID 4680 wrote to memory of 544 4680 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe MediaCenter.exe PID 4680 wrote to memory of 4784 4680 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe cmd.exe PID 4680 wrote to memory of 4784 4680 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe cmd.exe PID 4680 wrote to memory of 4784 4680 0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe cmd.exe PID 4784 wrote to memory of 888 4784 cmd.exe PING.EXE PID 4784 wrote to memory of 888 4784 cmd.exe PING.EXE PID 4784 wrote to memory of 888 4784 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe"C:\Users\Admin\AppData\Local\Temp\0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f44e2b28a591f9751f8c18d3a753da1c902f85567e3b9bfdffe1e06d048be90.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b2290642c3c73dd0f82791228c82c784
SHA11b1726807711240f694e95d362349aee0d96ee90
SHA256f1df57aba3c6f152aba080dc2fd436b06a2f1ea5cb1f080b88a981c85af4460a
SHA5121665353f4eb8f7d4a457679175cfe8520619802f32e2197667226de553c9b84bc208a6f7aa3e94d6e921abadff30f4bcf8b9d3c5739c3ea62e4c9685252ad907
-
MD5
b2290642c3c73dd0f82791228c82c784
SHA11b1726807711240f694e95d362349aee0d96ee90
SHA256f1df57aba3c6f152aba080dc2fd436b06a2f1ea5cb1f080b88a981c85af4460a
SHA5121665353f4eb8f7d4a457679175cfe8520619802f32e2197667226de553c9b84bc208a6f7aa3e94d6e921abadff30f4bcf8b9d3c5739c3ea62e4c9685252ad907