Analysis
-
max time kernel
153s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:40
Static task
static1
Behavioral task
behavioral1
Sample
0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe
Resource
win10v2004-en-20220113
General
-
Target
0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe
-
Size
60KB
-
MD5
33b75f8a0def70e2053e5b14ce1921cb
-
SHA1
ed8b2807da28d28fad1d14b976af5f9da5461d8e
-
SHA256
0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf
-
SHA512
f4c5f2e44fcf0e353fa8ee475c6bbb749c9f2d83bccc65f02e1f8df6c21df73b49e2fde33af09098f3e9b70502caba90c0c89588b20f6f5ecf19465fe0deb0e3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4392 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2624 svchost.exe Token: SeCreatePagefilePrivilege 2624 svchost.exe Token: SeShutdownPrivilege 2624 svchost.exe Token: SeCreatePagefilePrivilege 2624 svchost.exe Token: SeShutdownPrivilege 2624 svchost.exe Token: SeCreatePagefilePrivilege 2624 svchost.exe Token: SeIncBasePriorityPrivilege 3016 0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe Token: SeBackupPrivilege 2524 TiWorker.exe Token: SeRestorePrivilege 2524 TiWorker.exe Token: SeSecurityPrivilege 2524 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.execmd.exedescription pid process target process PID 3016 wrote to memory of 4392 3016 0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe MediaCenter.exe PID 3016 wrote to memory of 4392 3016 0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe MediaCenter.exe PID 3016 wrote to memory of 4392 3016 0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe MediaCenter.exe PID 3016 wrote to memory of 3556 3016 0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe cmd.exe PID 3016 wrote to memory of 3556 3016 0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe cmd.exe PID 3016 wrote to memory of 3556 3016 0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe cmd.exe PID 3556 wrote to memory of 4436 3556 cmd.exe PING.EXE PID 3556 wrote to memory of 4436 3556 cmd.exe PING.EXE PID 3556 wrote to memory of 4436 3556 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe"C:\Users\Admin\AppData\Local\Temp\0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ceca944ad25489e4951df550fea5d8d3bbaea64c46dae6241aefc47c0477bcf.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e10ede234d577281ff2864cd552f57ab
SHA1a8a1c0f152227216ed361fd83ff55531e8c615ab
SHA25671470410c6d6d3ba654f85712c189d2bc0b71779bf9a1a040b63e1bd100ff10f
SHA51249d466736ae9f971ded3b3215a78905e819ecd06b8f37a9a3c4d964f80334d0fc6aceb7cf83996e82d80788aa48cce78ea6b13c0f9f3ec3194c88c4ed20ca042
-
MD5
e10ede234d577281ff2864cd552f57ab
SHA1a8a1c0f152227216ed361fd83ff55531e8c615ab
SHA25671470410c6d6d3ba654f85712c189d2bc0b71779bf9a1a040b63e1bd100ff10f
SHA51249d466736ae9f971ded3b3215a78905e819ecd06b8f37a9a3c4d964f80334d0fc6aceb7cf83996e82d80788aa48cce78ea6b13c0f9f3ec3194c88c4ed20ca042