Analysis
-
max time kernel
144s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe
Resource
win10v2004-en-20220113
General
-
Target
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe
-
Size
36KB
-
MD5
b0b85b1dc59aa8d3e8185b2e53b438d3
-
SHA1
0dde149d9940268fc58ec89c445db67f23a1a2d9
-
SHA256
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2
-
SHA512
a3ad963bbc50f8e43dcbaac78cc5541655d105c9321103fe9874c4959df042387ff365ed2a00f093a2a3fc312e95ae86cadf0bfdfdd9f2b0ef3621b09ced11f6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4228 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3220 svchost.exe Token: SeCreatePagefilePrivilege 3220 svchost.exe Token: SeShutdownPrivilege 3220 svchost.exe Token: SeCreatePagefilePrivilege 3220 svchost.exe Token: SeShutdownPrivilege 3220 svchost.exe Token: SeCreatePagefilePrivilege 3220 svchost.exe Token: SeIncBasePriorityPrivilege 396 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeSecurityPrivilege 3744 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.execmd.exedescription pid process target process PID 396 wrote to memory of 4228 396 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe MediaCenter.exe PID 396 wrote to memory of 4228 396 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe MediaCenter.exe PID 396 wrote to memory of 4228 396 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe MediaCenter.exe PID 396 wrote to memory of 2804 396 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe cmd.exe PID 396 wrote to memory of 2804 396 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe cmd.exe PID 396 wrote to memory of 2804 396 0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe cmd.exe PID 2804 wrote to memory of 3112 2804 cmd.exe PING.EXE PID 2804 wrote to memory of 3112 2804 cmd.exe PING.EXE PID 2804 wrote to memory of 3112 2804 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe"C:\Users\Admin\AppData\Local\Temp\0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c0f54df5c7e6c8c0efd2c4aa63cdd204ae4b1953fbbcb7c822819c3526febc2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e26d760c3a52ff643563e6bcf84875f5
SHA1ef799809a8f3113967e7b0daf68552f9b97cc8d0
SHA25667be109ae7a9b813b9ddcaea48265c4c8620c72c6990a93028e738cda8d5fa07
SHA512c5a8b2cf21bb975ffdbe568f3b0f429476ebb6518ce613b0a3ec3b9f76ee27b21d03bd5f797641d0537ef6dc993e49e8a3fcb7f58406b5fc7ecc3fd50e04caf7
-
MD5
e26d760c3a52ff643563e6bcf84875f5
SHA1ef799809a8f3113967e7b0daf68552f9b97cc8d0
SHA25667be109ae7a9b813b9ddcaea48265c4c8620c72c6990a93028e738cda8d5fa07
SHA512c5a8b2cf21bb975ffdbe568f3b0f429476ebb6518ce613b0a3ec3b9f76ee27b21d03bd5f797641d0537ef6dc993e49e8a3fcb7f58406b5fc7ecc3fd50e04caf7