Analysis
-
max time kernel
137s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:35
Static task
static1
Behavioral task
behavioral1
Sample
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe
Resource
win10v2004-en-20220113
General
-
Target
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe
-
Size
58KB
-
MD5
55607a2c33c2d144d7b06827aafc7d2f
-
SHA1
3271b8eb7558c2b4423e18eaa81a89fa1066e924
-
SHA256
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0
-
SHA512
c51531d4ccca5e1fc95e00f05bceaabc7920949e02ae0a19b9bb6d964eb3594f85dd0fd9ea952cb6024b5fe9130744cb8b1b4e1147a2318d04df28cff06c5eb2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4636 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exedescription pid process Token: SeShutdownPrivilege 2896 svchost.exe Token: SeCreatePagefilePrivilege 2896 svchost.exe Token: SeShutdownPrivilege 2896 svchost.exe Token: SeCreatePagefilePrivilege 2896 svchost.exe Token: SeShutdownPrivilege 2896 svchost.exe Token: SeCreatePagefilePrivilege 2896 svchost.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeIncBasePriorityPrivilege 4588 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe Token: SeBackupPrivilege 2152 TiWorker.exe Token: SeRestorePrivilege 2152 TiWorker.exe Token: SeSecurityPrivilege 2152 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.execmd.exedescription pid process target process PID 4588 wrote to memory of 4636 4588 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe MediaCenter.exe PID 4588 wrote to memory of 4636 4588 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe MediaCenter.exe PID 4588 wrote to memory of 4636 4588 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe MediaCenter.exe PID 4588 wrote to memory of 3976 4588 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe cmd.exe PID 4588 wrote to memory of 3976 4588 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe cmd.exe PID 4588 wrote to memory of 3976 4588 0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe cmd.exe PID 3976 wrote to memory of 4188 3976 cmd.exe PING.EXE PID 3976 wrote to memory of 4188 3976 cmd.exe PING.EXE PID 3976 wrote to memory of 4188 3976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe"C:\Users\Admin\AppData\Local\Temp\0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d2b3811c90c14168395fb0ee6e8e245742b4485dca0a8ae6976196fcd4449a0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d4f8f4702ebccc5a972cfec249de27f5
SHA158f3580266e690dd84ec80f0296488ef402ef8e4
SHA25657146e7b766403551dd21c656c1a2bda8ba3a1ff912842b423bc1c531fcc74cc
SHA512c117d6637436843a235ca27ff435d3f41269cc2cc831b8e8af4de463270f93733c4bcb7a0226d705e05d15f6902ce0f67998552943d73f485ac3e2f15c998600
-
MD5
d4f8f4702ebccc5a972cfec249de27f5
SHA158f3580266e690dd84ec80f0296488ef402ef8e4
SHA25657146e7b766403551dd21c656c1a2bda8ba3a1ff912842b423bc1c531fcc74cc
SHA512c117d6637436843a235ca27ff435d3f41269cc2cc831b8e8af4de463270f93733c4bcb7a0226d705e05d15f6902ce0f67998552943d73f485ac3e2f15c998600