Analysis
-
max time kernel
136s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:42
Static task
static1
Behavioral task
behavioral1
Sample
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe
Resource
win10v2004-en-20220113
General
-
Target
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe
-
Size
35KB
-
MD5
6571881681e7ca8291d59ae745652504
-
SHA1
958346867837795166224f21003cbc1a95656665
-
SHA256
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5
-
SHA512
8409d1377ad584ef1b6db215228d3f9a27b280911c5cb5ef0a792789d71b3c5a5a7db9c2b7e3cf1299b0169ab2b41f947fc10375b7e59b0686a188be7aaa7d03
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4584 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3836 svchost.exe Token: SeCreatePagefilePrivilege 3836 svchost.exe Token: SeShutdownPrivilege 3836 svchost.exe Token: SeCreatePagefilePrivilege 3836 svchost.exe Token: SeShutdownPrivilege 3836 svchost.exe Token: SeCreatePagefilePrivilege 3836 svchost.exe Token: SeIncBasePriorityPrivilege 4640 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.execmd.exedescription pid process target process PID 4640 wrote to memory of 4584 4640 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe MediaCenter.exe PID 4640 wrote to memory of 4584 4640 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe MediaCenter.exe PID 4640 wrote to memory of 4584 4640 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe MediaCenter.exe PID 4640 wrote to memory of 1776 4640 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe cmd.exe PID 4640 wrote to memory of 1776 4640 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe cmd.exe PID 4640 wrote to memory of 1776 4640 0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe cmd.exe PID 1776 wrote to memory of 1360 1776 cmd.exe PING.EXE PID 1776 wrote to memory of 1360 1776 cmd.exe PING.EXE PID 1776 wrote to memory of 1360 1776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe"C:\Users\Admin\AppData\Local\Temp\0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cd1061ea21e7e6ec649d815df3a49e38bfd039ca40aa4b3563595216289b5f5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
77bddc3e76871cf0e080d27d63767778
SHA19caf038f174d5f98aec801375ab0865f04927def
SHA25654af283bc6c04c2580fc85afafcfa77b039b291cbbc0831f9bd6dc2821af3c83
SHA512818c2dc0b55ceabca725369b0897e64ad9227cb3e628efa1c3972e032577486d5d1e4b3985a5aac7af1a8ebcb9d67a99f0e6747fa0702774045dd61fcadc0bbd
-
MD5
77bddc3e76871cf0e080d27d63767778
SHA19caf038f174d5f98aec801375ab0865f04927def
SHA25654af283bc6c04c2580fc85afafcfa77b039b291cbbc0831f9bd6dc2821af3c83
SHA512818c2dc0b55ceabca725369b0897e64ad9227cb3e628efa1c3972e032577486d5d1e4b3985a5aac7af1a8ebcb9d67a99f0e6747fa0702774045dd61fcadc0bbd