Analysis
-
max time kernel
137s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:28
Static task
static1
Behavioral task
behavioral1
Sample
0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe
Resource
win10v2004-en-20220113
General
-
Target
0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe
-
Size
58KB
-
MD5
e726bd2dd34f2098669cd4ac08c2a75e
-
SHA1
f0d4e912bd786fee8ca21ef29ead0eb841733f64
-
SHA256
0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545
-
SHA512
2249a5fdbd986fd597b0e26cad4b3d6bb3e3562a2eddb6d5dc5aafdf1a2dfddbab9831424413c615f6654fc8b16258124ea036bd95f90a707668153bce995d5f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3472 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3768 svchost.exe Token: SeCreatePagefilePrivilege 3768 svchost.exe Token: SeShutdownPrivilege 3768 svchost.exe Token: SeCreatePagefilePrivilege 3768 svchost.exe Token: SeShutdownPrivilege 3768 svchost.exe Token: SeCreatePagefilePrivilege 3768 svchost.exe Token: SeIncBasePriorityPrivilege 3480 0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe Token: SeBackupPrivilege 2536 TiWorker.exe Token: SeRestorePrivilege 2536 TiWorker.exe Token: SeSecurityPrivilege 2536 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.execmd.exedescription pid process target process PID 3480 wrote to memory of 3472 3480 0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe MediaCenter.exe PID 3480 wrote to memory of 3472 3480 0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe MediaCenter.exe PID 3480 wrote to memory of 3472 3480 0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe MediaCenter.exe PID 3480 wrote to memory of 1416 3480 0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe cmd.exe PID 3480 wrote to memory of 1416 3480 0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe cmd.exe PID 3480 wrote to memory of 1416 3480 0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe cmd.exe PID 1416 wrote to memory of 1984 1416 cmd.exe PING.EXE PID 1416 wrote to memory of 1984 1416 cmd.exe PING.EXE PID 1416 wrote to memory of 1984 1416 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe"C:\Users\Admin\AppData\Local\Temp\0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d86ac3ce6406aa9283e326c3681bebd614579d496e48fc8cb0417e2bf07c545.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b8a5702a0613a8ea362f3f943607cb58
SHA1b1a29222a08f910ec9e93329bdcc1519609f447c
SHA256ad12c25a929f9b8191f39e9ff23cdce1a468bac4ceed5352424f94768a7a2bff
SHA512d009e377ddc9ecbcec629b491e72142eeb71af1f1279572deae562d48819ee09f3b58f9304d7f489b8d56533b33a06c8d98e8459372a8745f80946c1591f6660
-
MD5
b8a5702a0613a8ea362f3f943607cb58
SHA1b1a29222a08f910ec9e93329bdcc1519609f447c
SHA256ad12c25a929f9b8191f39e9ff23cdce1a468bac4ceed5352424f94768a7a2bff
SHA512d009e377ddc9ecbcec629b491e72142eeb71af1f1279572deae562d48819ee09f3b58f9304d7f489b8d56533b33a06c8d98e8459372a8745f80946c1591f6660