Analysis
-
max time kernel
155s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:43
Static task
static1
Behavioral task
behavioral1
Sample
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe
Resource
win10v2004-en-20220113
General
-
Target
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe
-
Size
35KB
-
MD5
328460113e0191847980c8aaf058df67
-
SHA1
33f24c491a523e18d3fb28848b0483e4b19cc17a
-
SHA256
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98
-
SHA512
311680b9fbb2712db0b405253912af9bb431b4eab927aa2bcedfe8098f054a1c2164c1a29463778ee108ea200c4a9f257bbf0833dfe90fe840e49d8a85a72303
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2672 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4608 svchost.exe Token: SeCreatePagefilePrivilege 4608 svchost.exe Token: SeShutdownPrivilege 4608 svchost.exe Token: SeCreatePagefilePrivilege 4608 svchost.exe Token: SeShutdownPrivilege 4608 svchost.exe Token: SeCreatePagefilePrivilege 4608 svchost.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe Token: SeRestorePrivilege 4856 TiWorker.exe Token: SeSecurityPrivilege 4856 TiWorker.exe Token: SeBackupPrivilege 4856 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.execmd.exedescription pid process target process PID 2684 wrote to memory of 2672 2684 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe MediaCenter.exe PID 2684 wrote to memory of 2672 2684 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe MediaCenter.exe PID 2684 wrote to memory of 2672 2684 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe MediaCenter.exe PID 2684 wrote to memory of 3628 2684 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe cmd.exe PID 2684 wrote to memory of 3628 2684 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe cmd.exe PID 2684 wrote to memory of 3628 2684 0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe cmd.exe PID 3628 wrote to memory of 3332 3628 cmd.exe PING.EXE PID 3628 wrote to memory of 3332 3628 cmd.exe PING.EXE PID 3628 wrote to memory of 3332 3628 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe"C:\Users\Admin\AppData\Local\Temp\0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cc4d2b45f3c13bdd0d67073d091c271c75b30eae48f6c0126eaff1969f8fc98.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fa28ec408d49c510ccd5cb8223d720b4
SHA12fa47ad7fab74bcfa49cd6884cd4019dfb5526ad
SHA256ba3270ea13bc619b36241ef1a3001865f99aa42165a1c780c70e2f9e32d42750
SHA5128f5dd60e6338e9b35cd88a3e806491f7e22e57ec9d7685f2b26e23f89592b0f2d09870c2d518d66da68685bc5772359113cabb0066ce931ecee71539de89ea11
-
MD5
fa28ec408d49c510ccd5cb8223d720b4
SHA12fa47ad7fab74bcfa49cd6884cd4019dfb5526ad
SHA256ba3270ea13bc619b36241ef1a3001865f99aa42165a1c780c70e2f9e32d42750
SHA5128f5dd60e6338e9b35cd88a3e806491f7e22e57ec9d7685f2b26e23f89592b0f2d09870c2d518d66da68685bc5772359113cabb0066ce931ecee71539de89ea11