Analysis
-
max time kernel
135s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe
Resource
win10v2004-en-20220113
General
-
Target
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe
-
Size
58KB
-
MD5
4661d18fd397591b163c12b37d282dd0
-
SHA1
7f8d51a8d11075704a6e82db37e86da0f2e83606
-
SHA256
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134
-
SHA512
f5de2009ee0fa99765e9683b083c6fcd14d1f4e9d18d97a231b8487ac36c54848a02acd9c1e24c41eb3b9b72feffaa6a4503c7bf51e02891b5b3f97988a6b10a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4700 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4152 svchost.exe Token: SeCreatePagefilePrivilege 4152 svchost.exe Token: SeShutdownPrivilege 4152 svchost.exe Token: SeCreatePagefilePrivilege 4152 svchost.exe Token: SeShutdownPrivilege 4152 svchost.exe Token: SeCreatePagefilePrivilege 4152 svchost.exe Token: SeIncBasePriorityPrivilege 3904 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe Token: SeBackupPrivilege 3556 TiWorker.exe Token: SeRestorePrivilege 3556 TiWorker.exe Token: SeSecurityPrivilege 3556 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.execmd.exedescription pid process target process PID 3904 wrote to memory of 4700 3904 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe MediaCenter.exe PID 3904 wrote to memory of 4700 3904 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe MediaCenter.exe PID 3904 wrote to memory of 4700 3904 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe MediaCenter.exe PID 3904 wrote to memory of 3532 3904 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe cmd.exe PID 3904 wrote to memory of 3532 3904 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe cmd.exe PID 3904 wrote to memory of 3532 3904 0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe cmd.exe PID 3532 wrote to memory of 4884 3532 cmd.exe PING.EXE PID 3532 wrote to memory of 4884 3532 cmd.exe PING.EXE PID 3532 wrote to memory of 4884 3532 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe"C:\Users\Admin\AppData\Local\Temp\0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c2e6ec7d04cdf9f847744727953dd80f9640fcda999875ff3a417e71af21134.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6083b006e56c45b68516fe6f4fa8087d
SHA107a56226bb12fce24f7b5592e1b4afaf35c172fa
SHA25647dc53a71efa099ca32b66777aa1cab6fd68471512683d75691e8e114baccdb8
SHA5128f9654e5dcfe42825b1c18abf6ff7f53ae07e09a0052e61ab3fecf1d73650f5160c8cc0c43f0ca0f3a266ac0e115a187ab6857c1565fe4dc0f5b8fab3c8c7725
-
MD5
6083b006e56c45b68516fe6f4fa8087d
SHA107a56226bb12fce24f7b5592e1b4afaf35c172fa
SHA25647dc53a71efa099ca32b66777aa1cab6fd68471512683d75691e8e114baccdb8
SHA5128f9654e5dcfe42825b1c18abf6ff7f53ae07e09a0052e61ab3fecf1d73650f5160c8cc0c43f0ca0f3a266ac0e115a187ab6857c1565fe4dc0f5b8fab3c8c7725