Analysis
-
max time kernel
161s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:30
Static task
static1
Behavioral task
behavioral1
Sample
0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe
Resource
win10v2004-en-20220113
General
-
Target
0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe
-
Size
36KB
-
MD5
ef730a58c85799f72c4d35faeec5371e
-
SHA1
ef58222964a41bb8dc2b782afe8ffc7e762103ea
-
SHA256
0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360
-
SHA512
8b3fa5ad05f9c5f41f7c10eaec0cba6d53019c2513c98c09b69347b17104653803252c97764eb71c5d6cb0b1a189a4f62ea29f9eb75d4f7361d2ae0f05c13f97
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4336 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3120 svchost.exe Token: SeCreatePagefilePrivilege 3120 svchost.exe Token: SeShutdownPrivilege 3120 svchost.exe Token: SeCreatePagefilePrivilege 3120 svchost.exe Token: SeShutdownPrivilege 3120 svchost.exe Token: SeCreatePagefilePrivilege 3120 svchost.exe Token: SeIncBasePriorityPrivilege 1252 0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.execmd.exedescription pid process target process PID 1252 wrote to memory of 4336 1252 0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe MediaCenter.exe PID 1252 wrote to memory of 4336 1252 0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe MediaCenter.exe PID 1252 wrote to memory of 4336 1252 0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe MediaCenter.exe PID 1252 wrote to memory of 2764 1252 0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe cmd.exe PID 1252 wrote to memory of 2764 1252 0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe cmd.exe PID 1252 wrote to memory of 2764 1252 0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe cmd.exe PID 2764 wrote to memory of 2620 2764 cmd.exe PING.EXE PID 2764 wrote to memory of 2620 2764 cmd.exe PING.EXE PID 2764 wrote to memory of 2620 2764 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe"C:\Users\Admin\AppData\Local\Temp\0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d5ce60436ab7a22d310eeea01014c383859e67ccbe8cbe17d5727ffa10a8360.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b5b1fb51570796971bf1bbab9a5f8d95
SHA1dfbecfd93e95faa3e8a7e8046436ab1b24668ad2
SHA256e75512fff025614f665379cd92a83a391612567d7ed62edaf3663c8b543ec40d
SHA5123c1e28a9858508918462a30da818e10a31fc4dd846994a01932788cf6c4596f4602abb2f4e3fa52611fec2407253ec22d5d0920eae96e0139ac52601623a504b
-
MD5
b5b1fb51570796971bf1bbab9a5f8d95
SHA1dfbecfd93e95faa3e8a7e8046436ab1b24668ad2
SHA256e75512fff025614f665379cd92a83a391612567d7ed62edaf3663c8b543ec40d
SHA5123c1e28a9858508918462a30da818e10a31fc4dd846994a01932788cf6c4596f4602abb2f4e3fa52611fec2407253ec22d5d0920eae96e0139ac52601623a504b