Analysis
-
max time kernel
142s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:02
Static task
static1
Behavioral task
behavioral1
Sample
0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe
Resource
win10v2004-en-20220113
General
-
Target
0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe
-
Size
58KB
-
MD5
cdb8306cfa96bdcab9f2f784f3d2cb66
-
SHA1
bd7ec885b65c0f94e51b98b0863b8e189b620382
-
SHA256
0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363
-
SHA512
5998d25c0acfcc164f0c1cc63a4d08405550bd90b48566e3923c4936e99a3b9acd0d3728cef5588f22dc62ff69db06562e5abca42b1d64cf149c3e0192fee9a7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3744 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exedescription pid process Token: SeShutdownPrivilege 4712 svchost.exe Token: SeCreatePagefilePrivilege 4712 svchost.exe Token: SeShutdownPrivilege 4712 svchost.exe Token: SeCreatePagefilePrivilege 4712 svchost.exe Token: SeShutdownPrivilege 4712 svchost.exe Token: SeCreatePagefilePrivilege 4712 svchost.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeIncBasePriorityPrivilege 4528 0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe Token: SeBackupPrivilege 2204 TiWorker.exe Token: SeRestorePrivilege 2204 TiWorker.exe Token: SeSecurityPrivilege 2204 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.execmd.exedescription pid process target process PID 4528 wrote to memory of 3744 4528 0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe MediaCenter.exe PID 4528 wrote to memory of 3744 4528 0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe MediaCenter.exe PID 4528 wrote to memory of 3744 4528 0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe MediaCenter.exe PID 4528 wrote to memory of 2228 4528 0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe cmd.exe PID 4528 wrote to memory of 2228 4528 0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe cmd.exe PID 4528 wrote to memory of 2228 4528 0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe cmd.exe PID 2228 wrote to memory of 3260 2228 cmd.exe PING.EXE PID 2228 wrote to memory of 3260 2228 cmd.exe PING.EXE PID 2228 wrote to memory of 3260 2228 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe"C:\Users\Admin\AppData\Local\Temp\0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0be278ca113ef3c1a4a0e2d55fae91c7b5e4522412c5153d14a6eb153bcf0363.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0b52366891c5e53a37eb745d8c0e29eb
SHA16d2f213fe2c8e074ed0acb56993414e2db6e22ab
SHA2567c397b5b1b39dd56eb3699e12db2e0f58ba31abf37301e95d71cc516938d5dda
SHA512743c6f755b6c72b37bb59135f9dfc0a266450aef8c0de27936c9c2ea778eee2afa492d0478ee3d2a737df4f6d0328908ec03d57b5cc3cdc06cf02cdb5d5d23a0
-
MD5
0b52366891c5e53a37eb745d8c0e29eb
SHA16d2f213fe2c8e074ed0acb56993414e2db6e22ab
SHA2567c397b5b1b39dd56eb3699e12db2e0f58ba31abf37301e95d71cc516938d5dda
SHA512743c6f755b6c72b37bb59135f9dfc0a266450aef8c0de27936c9c2ea778eee2afa492d0478ee3d2a737df4f6d0328908ec03d57b5cc3cdc06cf02cdb5d5d23a0