Analysis
-
max time kernel
146s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:41
Static task
static1
Behavioral task
behavioral1
Sample
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe
Resource
win10v2004-en-20220113
General
-
Target
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe
-
Size
58KB
-
MD5
2d0059e0cf443df5cdb17eefe8444032
-
SHA1
635a698e5792064fcf245fa0bdc0a1e9c87684cc
-
SHA256
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc
-
SHA512
0272c3aa7b6122c54ff66c352daf794188a0fecd1c677060792681a48f86fe8d15c6ff24d7f5f0e89042817e639154daebee5eb457a5f59deb8b1627bc1c6065
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3108 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4712 svchost.exe Token: SeCreatePagefilePrivilege 4712 svchost.exe Token: SeShutdownPrivilege 4712 svchost.exe Token: SeCreatePagefilePrivilege 4712 svchost.exe Token: SeShutdownPrivilege 4712 svchost.exe Token: SeCreatePagefilePrivilege 4712 svchost.exe Token: SeIncBasePriorityPrivilege 1512 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe Token: SeBackupPrivilege 1312 TiWorker.exe Token: SeRestorePrivilege 1312 TiWorker.exe Token: SeSecurityPrivilege 1312 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.execmd.exedescription pid process target process PID 1512 wrote to memory of 3108 1512 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe MediaCenter.exe PID 1512 wrote to memory of 3108 1512 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe MediaCenter.exe PID 1512 wrote to memory of 3108 1512 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe MediaCenter.exe PID 1512 wrote to memory of 1644 1512 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe cmd.exe PID 1512 wrote to memory of 1644 1512 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe cmd.exe PID 1512 wrote to memory of 1644 1512 0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe cmd.exe PID 1644 wrote to memory of 2376 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 2376 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 2376 1644 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe"C:\Users\Admin\AppData\Local\Temp\0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ceb51dcdc658667e2d5af2110f6ac4749c086a9435e08a14cb30d36ce6facfc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1312
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
04197402e9f78d7daeb45dcab96cc2ee
SHA108b808deaeb9054beddfdee58a1addeb63bde644
SHA256b4cf3f2821d2f5f793ddf1e5074ea86dcb2432a0aecf7ab821afebd606e8d0de
SHA512ca024d9cde5de92daef22296168bd312a3716603abc66965f7257300dbaa8d734e223d3dd083c47f2238d4995064fd514b2445d48731d8b00522dead250de6a7
-
MD5
04197402e9f78d7daeb45dcab96cc2ee
SHA108b808deaeb9054beddfdee58a1addeb63bde644
SHA256b4cf3f2821d2f5f793ddf1e5074ea86dcb2432a0aecf7ab821afebd606e8d0de
SHA512ca024d9cde5de92daef22296168bd312a3716603abc66965f7257300dbaa8d734e223d3dd083c47f2238d4995064fd514b2445d48731d8b00522dead250de6a7