Analysis
-
max time kernel
144s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:10
Static task
static1
Behavioral task
behavioral1
Sample
0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe
Resource
win10v2004-en-20220113
General
-
Target
0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe
-
Size
60KB
-
MD5
e6cc1f6382dc996a347e1497d5cb6124
-
SHA1
1dc86bfa0f5781635a7b93e839e94cb87b55b377
-
SHA256
0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198
-
SHA512
9e739ab2deed898b0692835cfcf101f8cf58bffb0251e594ab8e2b673dc3694ada2df269d197e118b4ea4087cc63f6a2ea178e371ba1f57d08bdabcdf278824a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3612 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4920 svchost.exe Token: SeCreatePagefilePrivilege 4920 svchost.exe Token: SeShutdownPrivilege 4920 svchost.exe Token: SeCreatePagefilePrivilege 4920 svchost.exe Token: SeShutdownPrivilege 4920 svchost.exe Token: SeCreatePagefilePrivilege 4920 svchost.exe Token: SeIncBasePriorityPrivilege 3472 0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe Token: SeBackupPrivilege 2792 TiWorker.exe Token: SeRestorePrivilege 2792 TiWorker.exe Token: SeSecurityPrivilege 2792 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.execmd.exedescription pid process target process PID 3472 wrote to memory of 3612 3472 0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe MediaCenter.exe PID 3472 wrote to memory of 3612 3472 0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe MediaCenter.exe PID 3472 wrote to memory of 3612 3472 0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe MediaCenter.exe PID 3472 wrote to memory of 1680 3472 0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe cmd.exe PID 3472 wrote to memory of 1680 3472 0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe cmd.exe PID 3472 wrote to memory of 1680 3472 0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe cmd.exe PID 1680 wrote to memory of 1068 1680 cmd.exe PING.EXE PID 1680 wrote to memory of 1068 1680 cmd.exe PING.EXE PID 1680 wrote to memory of 1068 1680 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe"C:\Users\Admin\AppData\Local\Temp\0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8641b30400d1fcff8c1482141b8169f6
SHA1b797ccaaae6fde30e2a928f797cb6df3131c3370
SHA2560df062b99b8801a2c150e4fdf38d1ff8705e60e68c7a5d2d8088c6f8f3e6aa2d
SHA512a82c3373186bac92485a917c31b93515d461c0b18d106e606658f4d1d989bd378c9e7ecdd2677ecadb0b0369a45d5e3a48e78fa26e9ede567ddd83e76defb95c
-
MD5
8641b30400d1fcff8c1482141b8169f6
SHA1b797ccaaae6fde30e2a928f797cb6df3131c3370
SHA2560df062b99b8801a2c150e4fdf38d1ff8705e60e68c7a5d2d8088c6f8f3e6aa2d
SHA512a82c3373186bac92485a917c31b93515d461c0b18d106e606658f4d1d989bd378c9e7ecdd2677ecadb0b0369a45d5e3a48e78fa26e9ede567ddd83e76defb95c