Analysis
-
max time kernel
133s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:27
Static task
static1
Behavioral task
behavioral1
Sample
0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe
Resource
win10v2004-en-20220113
General
-
Target
0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe
-
Size
36KB
-
MD5
3e269d9415e43988c2ff16876dc280d2
-
SHA1
3ccbc7d984eee5e5a55b4995f91f1543cd7ef675
-
SHA256
0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7
-
SHA512
f6dd79b851953c647ca90cb08641c4d86c1a6349a388f8439cf85f9c0bef953245f5156fd794d77b19671863ebbff0c650b651895c98ed00430e66f91d0b0b57
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3644 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2880 0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe Token: SeShutdownPrivilege 1148 svchost.exe Token: SeCreatePagefilePrivilege 1148 svchost.exe Token: SeShutdownPrivilege 1148 svchost.exe Token: SeCreatePagefilePrivilege 1148 svchost.exe Token: SeShutdownPrivilege 1148 svchost.exe Token: SeCreatePagefilePrivilege 1148 svchost.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.execmd.exedescription pid process target process PID 2880 wrote to memory of 3644 2880 0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe MediaCenter.exe PID 2880 wrote to memory of 3644 2880 0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe MediaCenter.exe PID 2880 wrote to memory of 3644 2880 0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe MediaCenter.exe PID 2880 wrote to memory of 1988 2880 0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe cmd.exe PID 2880 wrote to memory of 1988 2880 0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe cmd.exe PID 2880 wrote to memory of 1988 2880 0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe cmd.exe PID 1988 wrote to memory of 4060 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 4060 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 4060 1988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe"C:\Users\Admin\AppData\Local\Temp\0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d89538003492a405b228fd69ee2b829b228e4900f406f7702b20044034b00b7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4c8955b050f4783060461b41b8e9a079
SHA194b565a3411c042953c4b3376e968be49d6bd506
SHA2560082c4bb24bacc0b9fc97d69e2a6884613fa8d91480b9377b63fc4d89a9275a2
SHA51269bb4b295ab8d8f8a44dc41fcd2f02eb057c8b89b13bc62c3f0126d64fe84a87b6cf44e26a59f8cc1d440a8297577e56ecf198d0af16b2fcf54c7cda78d3abe0
-
MD5
4c8955b050f4783060461b41b8e9a079
SHA194b565a3411c042953c4b3376e968be49d6bd506
SHA2560082c4bb24bacc0b9fc97d69e2a6884613fa8d91480b9377b63fc4d89a9275a2
SHA51269bb4b295ab8d8f8a44dc41fcd2f02eb057c8b89b13bc62c3f0126d64fe84a87b6cf44e26a59f8cc1d440a8297577e56ecf198d0af16b2fcf54c7cda78d3abe0