Analysis
-
max time kernel
126s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:30
Static task
static1
Behavioral task
behavioral1
Sample
0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe
Resource
win10v2004-en-20220113
General
-
Target
0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe
-
Size
58KB
-
MD5
f8909715d32384a59351a7fe03bbd555
-
SHA1
a81fd6e8bd02917fb8434e65624cfa32bb6f2aab
-
SHA256
0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5
-
SHA512
53c8d3abf5814389352b01cf27e96742b52becdce8f1ea09d59e2c01132c04173aae3a4380be9fbae57a2260b93e22dd483f7c1f04048733118fa7b62b2f5a11
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3472 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1360 svchost.exe Token: SeCreatePagefilePrivilege 1360 svchost.exe Token: SeShutdownPrivilege 1360 svchost.exe Token: SeCreatePagefilePrivilege 1360 svchost.exe Token: SeShutdownPrivilege 1360 svchost.exe Token: SeCreatePagefilePrivilege 1360 svchost.exe Token: SeIncBasePriorityPrivilege 4580 0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe Token: SeBackupPrivilege 560 TiWorker.exe Token: SeRestorePrivilege 560 TiWorker.exe Token: SeSecurityPrivilege 560 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.execmd.exedescription pid process target process PID 4580 wrote to memory of 3472 4580 0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe MediaCenter.exe PID 4580 wrote to memory of 3472 4580 0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe MediaCenter.exe PID 4580 wrote to memory of 3472 4580 0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe MediaCenter.exe PID 4580 wrote to memory of 4100 4580 0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe cmd.exe PID 4580 wrote to memory of 4100 4580 0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe cmd.exe PID 4580 wrote to memory of 4100 4580 0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe cmd.exe PID 4100 wrote to memory of 4264 4100 cmd.exe PING.EXE PID 4100 wrote to memory of 4264 4100 cmd.exe PING.EXE PID 4100 wrote to memory of 4264 4100 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe"C:\Users\Admin\AppData\Local\Temp\0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d660b721cbcfbbffad6ade23e0bebfbe60cffba6272f619f349256e16c970e5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
302a7bcb02a838acf6fac64f0cee8254
SHA1f6974287e82b8e913e7c0bd0f8caf97e72a209f0
SHA256b48c8463adb238626bdde4dd9ab8cecae72c36e2cd6984b274706e55ac3c19dd
SHA512a63755fb022862a2f2d2364a4632889344e4c1a2a153eab7baa99b01f4e2af35e86df088778b5a9246ede4e6e32df0dcf56438e4936287385d27ed0750a3f4ca
-
MD5
302a7bcb02a838acf6fac64f0cee8254
SHA1f6974287e82b8e913e7c0bd0f8caf97e72a209f0
SHA256b48c8463adb238626bdde4dd9ab8cecae72c36e2cd6984b274706e55ac3c19dd
SHA512a63755fb022862a2f2d2364a4632889344e4c1a2a153eab7baa99b01f4e2af35e86df088778b5a9246ede4e6e32df0dcf56438e4936287385d27ed0750a3f4ca