Analysis
-
max time kernel
160s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:41
Static task
static1
Behavioral task
behavioral1
Sample
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe
Resource
win10v2004-en-20220113
General
-
Target
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe
-
Size
36KB
-
MD5
b2cb417feda9690a22b6b5254f14ada3
-
SHA1
34d3be7767a24056c93073f18387598f89c24bc6
-
SHA256
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8
-
SHA512
67f677a38de6a0e99304334573b2d04c397d31295b3726d69aa90c6c9782bb2ccbe0508add12d67718a812e372c3172764d2eb2d827b4c3c8ef72c2d38bc6afc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1904 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3076 svchost.exe Token: SeCreatePagefilePrivilege 3076 svchost.exe Token: SeShutdownPrivilege 3076 svchost.exe Token: SeCreatePagefilePrivilege 3076 svchost.exe Token: SeShutdownPrivilege 3076 svchost.exe Token: SeCreatePagefilePrivilege 3076 svchost.exe Token: SeIncBasePriorityPrivilege 1576 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.execmd.exedescription pid process target process PID 1576 wrote to memory of 1904 1576 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe MediaCenter.exe PID 1576 wrote to memory of 1904 1576 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe MediaCenter.exe PID 1576 wrote to memory of 1904 1576 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe MediaCenter.exe PID 1576 wrote to memory of 408 1576 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe cmd.exe PID 1576 wrote to memory of 408 1576 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe cmd.exe PID 1576 wrote to memory of 408 1576 0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe cmd.exe PID 408 wrote to memory of 216 408 cmd.exe PING.EXE PID 408 wrote to memory of 216 408 cmd.exe PING.EXE PID 408 wrote to memory of 216 408 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe"C:\Users\Admin\AppData\Local\Temp\0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f43a04a90df63118e3cc76ede624363d6355671d1588ba44d99d2bed7b00ef8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3076
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2284
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cceed7462c727c9ded84744ae60ccd28
SHA1a1aa79eec66f39eb767c8b6fab4d8f7b141ce678
SHA256ca9e658c83eef455b923136485854b75cdfd907bbc4638c23e5e285e4940ca4c
SHA5122db913c84ac10410b811f873c3c8035e9159b9a0da9e3d7fb7688b5d02bba66dbfda025a162f27455493009cd75261233b2eb975ab79467af187e64a9c3f8c74
-
MD5
cceed7462c727c9ded84744ae60ccd28
SHA1a1aa79eec66f39eb767c8b6fab4d8f7b141ce678
SHA256ca9e658c83eef455b923136485854b75cdfd907bbc4638c23e5e285e4940ca4c
SHA5122db913c84ac10410b811f873c3c8035e9159b9a0da9e3d7fb7688b5d02bba66dbfda025a162f27455493009cd75261233b2eb975ab79467af187e64a9c3f8c74