Analysis
-
max time kernel
143s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:09
Static task
static1
Behavioral task
behavioral1
Sample
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe
Resource
win10v2004-en-20220113
General
-
Target
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe
-
Size
58KB
-
MD5
d07422e7dbff5c15061bc322ac3bede3
-
SHA1
57470e979ee481c9c24db103f3b6ec615cada286
-
SHA256
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd
-
SHA512
777ce6841d87266936819fa2afd0b4f4b6d9a9f7e7656cbdc47d14f2b724fbf1683ff06feb00ac0ce884e92bf1c228dca52f567e9498233588bf54607c20914e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2060 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3236 svchost.exe Token: SeCreatePagefilePrivilege 3236 svchost.exe Token: SeShutdownPrivilege 3236 svchost.exe Token: SeCreatePagefilePrivilege 3236 svchost.exe Token: SeShutdownPrivilege 3236 svchost.exe Token: SeCreatePagefilePrivilege 3236 svchost.exe Token: SeIncBasePriorityPrivilege 1456 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe Token: SeBackupPrivilege 5012 TiWorker.exe Token: SeRestorePrivilege 5012 TiWorker.exe Token: SeSecurityPrivilege 5012 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.execmd.exedescription pid process target process PID 1456 wrote to memory of 2060 1456 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe MediaCenter.exe PID 1456 wrote to memory of 2060 1456 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe MediaCenter.exe PID 1456 wrote to memory of 2060 1456 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe MediaCenter.exe PID 1456 wrote to memory of 4588 1456 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe cmd.exe PID 1456 wrote to memory of 4588 1456 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe cmd.exe PID 1456 wrote to memory of 4588 1456 0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe cmd.exe PID 4588 wrote to memory of 1828 4588 cmd.exe PING.EXE PID 4588 wrote to memory of 1828 4588 cmd.exe PING.EXE PID 4588 wrote to memory of 1828 4588 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe"C:\Users\Admin\AppData\Local\Temp\0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e64c95b2441251e0d276c13730148d5375eae7a0798b9c8e0fbcc2f397d81fd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
47985b0d6f7c3a2ce60673d685d72b8a
SHA1cc09a072be6293a879c5db8c1ebc3b85b0005595
SHA2565ce05189ff7a0307ea6c33f6cfb742db183e52edbdf46f476a9945d77bb5fb73
SHA51279e4cb4b60832dcc97ff8ca0f40c3b252d21fb0b71778b042220920d1b6b2150a95c0a1af83204cbb5d744573de569a852257ceb2681d7fa0307213fd256e88e
-
MD5
47985b0d6f7c3a2ce60673d685d72b8a
SHA1cc09a072be6293a879c5db8c1ebc3b85b0005595
SHA2565ce05189ff7a0307ea6c33f6cfb742db183e52edbdf46f476a9945d77bb5fb73
SHA51279e4cb4b60832dcc97ff8ca0f40c3b252d21fb0b71778b042220920d1b6b2150a95c0a1af83204cbb5d744573de569a852257ceb2681d7fa0307213fd256e88e