Analysis
-
max time kernel
162s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:28
Static task
static1
Behavioral task
behavioral1
Sample
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe
Resource
win10v2004-en-20220113
General
-
Target
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe
-
Size
36KB
-
MD5
36eeadbbbf07c3a3896db43cc1a60f91
-
SHA1
4141064204fed494d8b072294e8a120a993ba4c0
-
SHA256
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a
-
SHA512
fb4a67a3f34a06a538d449b4576fa5dedf6aae6dcfd8bdfc3bdc0eeb274b3ef2f6a9e3286db55b5ef64f6f948123fe1cc662f59b62256aa3bea4ddf7463426e3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4996 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1176 svchost.exe Token: SeCreatePagefilePrivilege 1176 svchost.exe Token: SeShutdownPrivilege 1176 svchost.exe Token: SeCreatePagefilePrivilege 1176 svchost.exe Token: SeShutdownPrivilege 1176 svchost.exe Token: SeCreatePagefilePrivilege 1176 svchost.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe Token: SeRestorePrivilege 3704 TiWorker.exe Token: SeSecurityPrivilege 3704 TiWorker.exe Token: SeBackupPrivilege 3704 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.execmd.exedescription pid process target process PID 3148 wrote to memory of 4996 3148 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe MediaCenter.exe PID 3148 wrote to memory of 4996 3148 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe MediaCenter.exe PID 3148 wrote to memory of 4996 3148 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe MediaCenter.exe PID 3148 wrote to memory of 620 3148 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe cmd.exe PID 3148 wrote to memory of 620 3148 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe cmd.exe PID 3148 wrote to memory of 620 3148 0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe cmd.exe PID 620 wrote to memory of 1044 620 cmd.exe PING.EXE PID 620 wrote to memory of 1044 620 cmd.exe PING.EXE PID 620 wrote to memory of 1044 620 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe"C:\Users\Admin\AppData\Local\Temp\0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d7ade6a99baf039ba979e45f6b84afa24811d44e24b3c6e87faab9499183b3a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7f3aba513bd7d98ebdfa537667bf5628
SHA14630437f87ccd9c313e93c8432d61b51304cf90f
SHA256f925d85e78a3bd33f4cb64b2bf3b5bb4fba3272dce9ed56ab4cfc64746dad3b0
SHA512ee5be1321996a192133160355ab7acef5c5aa68585d81dad3a36f7d970bf0a8c421c64dd2100a768e5cfd86ed4a34e77bb81100bc878f281e5155921868d4593
-
MD5
7f3aba513bd7d98ebdfa537667bf5628
SHA14630437f87ccd9c313e93c8432d61b51304cf90f
SHA256f925d85e78a3bd33f4cb64b2bf3b5bb4fba3272dce9ed56ab4cfc64746dad3b0
SHA512ee5be1321996a192133160355ab7acef5c5aa68585d81dad3a36f7d970bf0a8c421c64dd2100a768e5cfd86ed4a34e77bb81100bc878f281e5155921868d4593