Analysis
-
max time kernel
145s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:37
Static task
static1
Behavioral task
behavioral1
Sample
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe
Resource
win10v2004-en-20220113
General
-
Target
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe
-
Size
60KB
-
MD5
51e81941183e19dcc34a5d2fa1aaa1b3
-
SHA1
835a0feab695aabef26e8f5d135c4faf3306c7bf
-
SHA256
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5
-
SHA512
26e6f86d199b231d0772ad0e619c173adfd2121356cc43bc50dda3206a759f4664a0486d3d00b0942df66f62330f36b8410d62164c3ab2ce41d1058f134d4cb0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 400 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 5004 svchost.exe Token: SeCreatePagefilePrivilege 5004 svchost.exe Token: SeShutdownPrivilege 5004 svchost.exe Token: SeCreatePagefilePrivilege 5004 svchost.exe Token: SeShutdownPrivilege 5004 svchost.exe Token: SeCreatePagefilePrivilege 5004 svchost.exe Token: SeIncBasePriorityPrivilege 4088 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe Token: SeBackupPrivilege 1644 TiWorker.exe Token: SeRestorePrivilege 1644 TiWorker.exe Token: SeSecurityPrivilege 1644 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.execmd.exedescription pid process target process PID 4088 wrote to memory of 400 4088 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe MediaCenter.exe PID 4088 wrote to memory of 400 4088 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe MediaCenter.exe PID 4088 wrote to memory of 400 4088 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe MediaCenter.exe PID 4088 wrote to memory of 1916 4088 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe cmd.exe PID 4088 wrote to memory of 1916 4088 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe cmd.exe PID 4088 wrote to memory of 1916 4088 0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe cmd.exe PID 1916 wrote to memory of 632 1916 cmd.exe PING.EXE PID 1916 wrote to memory of 632 1916 cmd.exe PING.EXE PID 1916 wrote to memory of 632 1916 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe"C:\Users\Admin\AppData\Local\Temp\0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d15e11a7278f253ee8be5a59fb7a4ffbae3f1f0b314f02a9e29f8eccc8324f5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2a9c1dacf2624adcc95f1722e10afcd5
SHA16b1f7ce94f51dbb1a308ba7719c0eaf20909e42a
SHA25681b939858e5b708d487024176dd59d18d543be05f119c0508703bae7410035c3
SHA5126918cbf4e965801bf13382acab097c932a902733a90674c74dd46b911fe548b83f462077db8157c3fa60930aeb4fbffd9d3f56a0ddec34ef9eb06efa9bde0c44
-
MD5
2a9c1dacf2624adcc95f1722e10afcd5
SHA16b1f7ce94f51dbb1a308ba7719c0eaf20909e42a
SHA25681b939858e5b708d487024176dd59d18d543be05f119c0508703bae7410035c3
SHA5126918cbf4e965801bf13382acab097c932a902733a90674c74dd46b911fe548b83f462077db8157c3fa60930aeb4fbffd9d3f56a0ddec34ef9eb06efa9bde0c44