Analysis
-
max time kernel
140s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:58
Static task
static1
Behavioral task
behavioral1
Sample
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe
Resource
win10v2004-en-20220113
General
-
Target
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe
-
Size
35KB
-
MD5
177c1fe091d873b91d104d973de8ed99
-
SHA1
7b009545d6cd0851fde4495ed8e2df60325379ac
-
SHA256
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22
-
SHA512
8037fe64d2ea24c6514041c1e714bb7ce79b432643507223de4157f7995708515f7c1913a5261a12bedfc0644b18dcaf22aa3b8a5b0425dd4b51587a80db48c1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1992 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3404 svchost.exe Token: SeCreatePagefilePrivilege 3404 svchost.exe Token: SeShutdownPrivilege 3404 svchost.exe Token: SeCreatePagefilePrivilege 3404 svchost.exe Token: SeShutdownPrivilege 3404 svchost.exe Token: SeCreatePagefilePrivilege 3404 svchost.exe Token: SeIncBasePriorityPrivilege 3840 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe Token: SeBackupPrivilege 1776 TiWorker.exe Token: SeRestorePrivilege 1776 TiWorker.exe Token: SeSecurityPrivilege 1776 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.execmd.exedescription pid process target process PID 3840 wrote to memory of 1992 3840 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe MediaCenter.exe PID 3840 wrote to memory of 1992 3840 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe MediaCenter.exe PID 3840 wrote to memory of 1992 3840 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe MediaCenter.exe PID 3840 wrote to memory of 4988 3840 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe cmd.exe PID 3840 wrote to memory of 4988 3840 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe cmd.exe PID 3840 wrote to memory of 4988 3840 0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe cmd.exe PID 4988 wrote to memory of 3508 4988 cmd.exe PING.EXE PID 4988 wrote to memory of 3508 4988 cmd.exe PING.EXE PID 4988 wrote to memory of 3508 4988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe"C:\Users\Admin\AppData\Local\Temp\0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c104e13c4f9b290951d0f189e7e8767523e09b29cee59165326af25d64d2c22.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3508
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7d075786b4df5a1028484ba211cea1e7
SHA19adc4550555c7b55af60bb40bd58acfd4588f84d
SHA25639519e383b37128694191896f9a0999e69dd7d0c4e4f71c2675e00c385cc04e8
SHA512e0ffe857293627af8d56d12fc6ecaddc1a7f3c1519b788a19966d08dfd5c1357b1f245038456e69c29005f3304d2d583e556f1b8be873b9ae3006c93b143deeb
-
MD5
7d075786b4df5a1028484ba211cea1e7
SHA19adc4550555c7b55af60bb40bd58acfd4588f84d
SHA25639519e383b37128694191896f9a0999e69dd7d0c4e4f71c2675e00c385cc04e8
SHA512e0ffe857293627af8d56d12fc6ecaddc1a7f3c1519b788a19966d08dfd5c1357b1f245038456e69c29005f3304d2d583e556f1b8be873b9ae3006c93b143deeb