Analysis
-
max time kernel
157s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe
Resource
win10v2004-en-20220113
General
-
Target
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe
-
Size
60KB
-
MD5
601cd69fe8641d28f847ea638e0e2523
-
SHA1
8b52f880097f48d899c202cd73d9dea76be99d57
-
SHA256
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a
-
SHA512
3bd037b294c5610c6a6ab99f90f780f0edf3e9f620410c60badb97262944810f5413bbd684f79c1fc46e0663c35697b7549209881063f580efcc48dabfc67ccc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4652 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4580 svchost.exe Token: SeCreatePagefilePrivilege 4580 svchost.exe Token: SeShutdownPrivilege 4580 svchost.exe Token: SeCreatePagefilePrivilege 4580 svchost.exe Token: SeShutdownPrivilege 4580 svchost.exe Token: SeCreatePagefilePrivilege 4580 svchost.exe Token: SeIncBasePriorityPrivilege 4608 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.execmd.exedescription pid process target process PID 4608 wrote to memory of 4652 4608 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe MediaCenter.exe PID 4608 wrote to memory of 4652 4608 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe MediaCenter.exe PID 4608 wrote to memory of 4652 4608 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe MediaCenter.exe PID 4608 wrote to memory of 5024 4608 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe cmd.exe PID 4608 wrote to memory of 5024 4608 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe cmd.exe PID 4608 wrote to memory of 5024 4608 0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe cmd.exe PID 5024 wrote to memory of 1968 5024 cmd.exe PING.EXE PID 5024 wrote to memory of 1968 5024 cmd.exe PING.EXE PID 5024 wrote to memory of 1968 5024 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe"C:\Users\Admin\AppData\Local\Temp\0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c0d6931210776cae8c3b428e81c7f9b54034750c5d2552341f4a82a3484ab5a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1c0979b18603f4080d2c0c0d73b802e8
SHA1fc4baa9e7611cc796a6e82f358c99e7c6edc607f
SHA256c2fa95ce7bc5d4958732109763fc12daa59c1bb0123696b71fb37c5a64495d29
SHA512faaee6f04963b5d5a9a5062a20d6aa7bbf0a53fb16480d15cb6b5234f298803ba51e348eb30d19a586958701a37d7e6bdbbace68307b0dd499596d09fde27fd8
-
MD5
1c0979b18603f4080d2c0c0d73b802e8
SHA1fc4baa9e7611cc796a6e82f358c99e7c6edc607f
SHA256c2fa95ce7bc5d4958732109763fc12daa59c1bb0123696b71fb37c5a64495d29
SHA512faaee6f04963b5d5a9a5062a20d6aa7bbf0a53fb16480d15cb6b5234f298803ba51e348eb30d19a586958701a37d7e6bdbbace68307b0dd499596d09fde27fd8