Analysis
-
max time kernel
135s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe
Resource
win10v2004-en-20220113
General
-
Target
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe
-
Size
60KB
-
MD5
3185e30ac7682e59881d4e5cd113dfd6
-
SHA1
4d641bf997e88258704caec4293e897ce2edff32
-
SHA256
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06
-
SHA512
e31dc247d990cd6332901f1b9f818d6c1dba4bbb67065f4ced4969ce5a7c019ee52f77e148981a09fd26f45d0bda28ca534fc59dd06bb80a26301c7d76f1eef9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4708 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exedescription pid process Token: SeShutdownPrivilege 2780 svchost.exe Token: SeCreatePagefilePrivilege 2780 svchost.exe Token: SeShutdownPrivilege 2780 svchost.exe Token: SeCreatePagefilePrivilege 2780 svchost.exe Token: SeShutdownPrivilege 2780 svchost.exe Token: SeCreatePagefilePrivilege 2780 svchost.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeIncBasePriorityPrivilege 4524 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe Token: SeBackupPrivilege 4616 TiWorker.exe Token: SeRestorePrivilege 4616 TiWorker.exe Token: SeSecurityPrivilege 4616 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.execmd.exedescription pid process target process PID 4524 wrote to memory of 4708 4524 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe MediaCenter.exe PID 4524 wrote to memory of 4708 4524 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe MediaCenter.exe PID 4524 wrote to memory of 4708 4524 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe MediaCenter.exe PID 4524 wrote to memory of 3056 4524 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe cmd.exe PID 4524 wrote to memory of 3056 4524 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe cmd.exe PID 4524 wrote to memory of 3056 4524 0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe cmd.exe PID 3056 wrote to memory of 4984 3056 cmd.exe PING.EXE PID 3056 wrote to memory of 4984 3056 cmd.exe PING.EXE PID 3056 wrote to memory of 4984 3056 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe"C:\Users\Admin\AppData\Local\Temp\0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c0fda3a53f4b3bea98f794aecc9039af3e19b78e36a1364bb20b8cfe8e9cc06.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bd22e48f5b4f90a6613e7fba21277b87
SHA11922f8b81b808999d0c91347f518399d2c06378b
SHA256ce9e42b1abb5696a026ebd43af72143ceab88ac466c38bef7eb2f87e22839291
SHA512ddfab721ac726b54706c2a0c3e439936b928ae476340cabf5fce6d99039b937d61dbfe8d3cbc412ac4a2980dd1f1b2a4daf44076a8c04b0462a5729269bb9311
-
MD5
bd22e48f5b4f90a6613e7fba21277b87
SHA11922f8b81b808999d0c91347f518399d2c06378b
SHA256ce9e42b1abb5696a026ebd43af72143ceab88ac466c38bef7eb2f87e22839291
SHA512ddfab721ac726b54706c2a0c3e439936b928ae476340cabf5fce6d99039b937d61dbfe8d3cbc412ac4a2980dd1f1b2a4daf44076a8c04b0462a5729269bb9311