Analysis
-
max time kernel
149s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:57
Static task
static1
Behavioral task
behavioral1
Sample
0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe
Resource
win10v2004-en-20220113
General
-
Target
0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe
-
Size
60KB
-
MD5
02ce7e8adb68ece2211246987a98b0dd
-
SHA1
7fe62f45ed582ea273c0dd8b4f6a1e8327e23405
-
SHA256
0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae
-
SHA512
ede5c3cd17fa26b60e575c7d11d64847a9f9063f171dee295ce28991ca78c2fc91ffe1bc3321ad06d4444fdb4de27b510baf7a71344b290fe27a968b3f0c8e39
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2676 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4128 svchost.exe Token: SeCreatePagefilePrivilege 4128 svchost.exe Token: SeShutdownPrivilege 4128 svchost.exe Token: SeCreatePagefilePrivilege 4128 svchost.exe Token: SeShutdownPrivilege 4128 svchost.exe Token: SeCreatePagefilePrivilege 4128 svchost.exe Token: SeIncBasePriorityPrivilege 1408 0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe Token: SeBackupPrivilege 1512 TiWorker.exe Token: SeRestorePrivilege 1512 TiWorker.exe Token: SeSecurityPrivilege 1512 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.execmd.exedescription pid process target process PID 1408 wrote to memory of 2676 1408 0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe MediaCenter.exe PID 1408 wrote to memory of 2676 1408 0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe MediaCenter.exe PID 1408 wrote to memory of 2676 1408 0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe MediaCenter.exe PID 1408 wrote to memory of 3240 1408 0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe cmd.exe PID 1408 wrote to memory of 3240 1408 0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe cmd.exe PID 1408 wrote to memory of 3240 1408 0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe cmd.exe PID 3240 wrote to memory of 4044 3240 cmd.exe PING.EXE PID 3240 wrote to memory of 4044 3240 cmd.exe PING.EXE PID 3240 wrote to memory of 4044 3240 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe"C:\Users\Admin\AppData\Local\Temp\0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c1efa5219ac2bf834f7d5cebbda1f8c883448b5b3eced923c51efe5a24d6eae.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f417d2e52818d01fee1a570da15c59d0
SHA125d8bf61a6a141c92d7ff2550dcc72577b7012dc
SHA2564a6ef8a3e6908a3485c4d0d90360da5d597b3b4765f67bcf2fdde3180ab55d92
SHA5120cfa9bf9e6574b5251a8a78ada0e10c65c3755f6bcdfd7c19a2ba03232ae318c5cb4d886fe88812d080e1534d87b58e37b9d6d3817a9474fa72d27a3b085fe1d
-
MD5
f417d2e52818d01fee1a570da15c59d0
SHA125d8bf61a6a141c92d7ff2550dcc72577b7012dc
SHA2564a6ef8a3e6908a3485c4d0d90360da5d597b3b4765f67bcf2fdde3180ab55d92
SHA5120cfa9bf9e6574b5251a8a78ada0e10c65c3755f6bcdfd7c19a2ba03232ae318c5cb4d886fe88812d080e1534d87b58e37b9d6d3817a9474fa72d27a3b085fe1d