Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:49
Static task
static1
Behavioral task
behavioral1
Sample
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe
Resource
win10v2004-en-20220113
General
-
Target
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe
-
Size
58KB
-
MD5
76daee38b9f61a5c8568ae15708fa721
-
SHA1
eba8d04bcde93059c1f4ef80ad0673f21cd7cd82
-
SHA256
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b
-
SHA512
c9f528e66f5f702b3e7b75abc605560ca07798ea9a531a4a0bd00ad4e6f9fae0f07455aa057022815f9f3a1a3a2eda9b3f6c1347b01a96868759b6a6cfeafda2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 832 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1200 svchost.exe Token: SeCreatePagefilePrivilege 1200 svchost.exe Token: SeShutdownPrivilege 1200 svchost.exe Token: SeCreatePagefilePrivilege 1200 svchost.exe Token: SeShutdownPrivilege 1200 svchost.exe Token: SeCreatePagefilePrivilege 1200 svchost.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.execmd.exedescription pid process target process PID 1500 wrote to memory of 832 1500 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe MediaCenter.exe PID 1500 wrote to memory of 832 1500 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe MediaCenter.exe PID 1500 wrote to memory of 832 1500 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe MediaCenter.exe PID 1500 wrote to memory of 4356 1500 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe cmd.exe PID 1500 wrote to memory of 4356 1500 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe cmd.exe PID 1500 wrote to memory of 4356 1500 0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe cmd.exe PID 4356 wrote to memory of 4412 4356 cmd.exe PING.EXE PID 4356 wrote to memory of 4412 4356 cmd.exe PING.EXE PID 4356 wrote to memory of 4412 4356 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe"C:\Users\Admin\AppData\Local\Temp\0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c941f11cb87d89766749165d3d844cc424bcbe1b284676de5739872d4aaa44b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
073e5389b4c36b74d69f20bb33f66674
SHA14398f06e5073d0869881baec6902139dc06bb506
SHA256e23be48a7c3d01ac6f52f36f9ba6ef156a4e3baebc11772886d2861ffad75607
SHA51290b6e939127af99b2d1a969cef23e4169296b1a74b30d01beb5a0c58645d000bde6c52ef6dc53f26c6fd0a31248bc4dd3253f7cd1e9dfb216b7c45635ce38984
-
MD5
073e5389b4c36b74d69f20bb33f66674
SHA14398f06e5073d0869881baec6902139dc06bb506
SHA256e23be48a7c3d01ac6f52f36f9ba6ef156a4e3baebc11772886d2861ffad75607
SHA51290b6e939127af99b2d1a969cef23e4169296b1a74b30d01beb5a0c58645d000bde6c52ef6dc53f26c6fd0a31248bc4dd3253f7cd1e9dfb216b7c45635ce38984