Analysis
-
max time kernel
144s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:34
Static task
static1
Behavioral task
behavioral1
Sample
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe
Resource
win10v2004-en-20220113
General
-
Target
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe
-
Size
58KB
-
MD5
1d0fb8311f5aee8128ee0061c026ffb5
-
SHA1
313d684ce23dc0b880bb7423e5e544676b180705
-
SHA256
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8
-
SHA512
0caa5662b7c25ee655e886d11cdab9eef364da644e20d8340010308a4a339a5ce82fdda8498b64fc33799eda868ce881b393a41e6d0d76c2e1663a273de56901
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2724 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4516 svchost.exe Token: SeCreatePagefilePrivilege 4516 svchost.exe Token: SeShutdownPrivilege 4516 svchost.exe Token: SeCreatePagefilePrivilege 4516 svchost.exe Token: SeShutdownPrivilege 4516 svchost.exe Token: SeCreatePagefilePrivilege 4516 svchost.exe Token: SeIncBasePriorityPrivilege 1996 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe Token: SeBackupPrivilege 2368 TiWorker.exe Token: SeRestorePrivilege 2368 TiWorker.exe Token: SeSecurityPrivilege 2368 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.execmd.exedescription pid process target process PID 1996 wrote to memory of 2724 1996 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe MediaCenter.exe PID 1996 wrote to memory of 2724 1996 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe MediaCenter.exe PID 1996 wrote to memory of 2724 1996 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe MediaCenter.exe PID 1996 wrote to memory of 1100 1996 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe cmd.exe PID 1996 wrote to memory of 1100 1996 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe cmd.exe PID 1996 wrote to memory of 1100 1996 0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe cmd.exe PID 1100 wrote to memory of 3008 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 3008 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 3008 1100 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe"C:\Users\Admin\AppData\Local\Temp\0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d3b81052900c68e221312b0d1959ffdc2d4ed90954e06cdbf97bfe388f26ed8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2368
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f6707fab0750d945ca04a1ddcee08d6c
SHA1f777754001988df87a1127cb8083c59ea8dd37f8
SHA256665a4070139769adc16dcbbd6ecdb1a884069f00dcde640ef06b565502f3f809
SHA51211db200a90e2f002be7589ae01a341fef74fae3b35085f9ee59601978c65138ff0d8e385488f8779a45885ad6d0148e41b0c487fb47b0852f5f71ac322d5d3ee
-
MD5
f6707fab0750d945ca04a1ddcee08d6c
SHA1f777754001988df87a1127cb8083c59ea8dd37f8
SHA256665a4070139769adc16dcbbd6ecdb1a884069f00dcde640ef06b565502f3f809
SHA51211db200a90e2f002be7589ae01a341fef74fae3b35085f9ee59601978c65138ff0d8e385488f8779a45885ad6d0148e41b0c487fb47b0852f5f71ac322d5d3ee