Analysis
-
max time kernel
138s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:07
Static task
static1
Behavioral task
behavioral1
Sample
0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe
Resource
win10v2004-en-20220113
General
-
Target
0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe
-
Size
36KB
-
MD5
5a62065234f3cc83f3a08ca135bf1398
-
SHA1
ec5a11ecd13590a26584aae78b134aeba212cead
-
SHA256
0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0
-
SHA512
d77bf5a3fc0ca96779e87055c9b8a41d2b91cb551fa48382586f58fc2e5c7092e0bfa45e2edb029a697329fc014508fe968e9fa6af3319688a9a13f24ea72157
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1972 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exedescription pid process Token: SeShutdownPrivilege 4780 svchost.exe Token: SeCreatePagefilePrivilege 4780 svchost.exe Token: SeShutdownPrivilege 4780 svchost.exe Token: SeCreatePagefilePrivilege 4780 svchost.exe Token: SeShutdownPrivilege 4780 svchost.exe Token: SeCreatePagefilePrivilege 4780 svchost.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeIncBasePriorityPrivilege 2104 0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe Token: SeBackupPrivilege 3920 TiWorker.exe Token: SeRestorePrivilege 3920 TiWorker.exe Token: SeSecurityPrivilege 3920 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.execmd.exedescription pid process target process PID 2104 wrote to memory of 1972 2104 0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe MediaCenter.exe PID 2104 wrote to memory of 1972 2104 0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe MediaCenter.exe PID 2104 wrote to memory of 1972 2104 0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe MediaCenter.exe PID 2104 wrote to memory of 4600 2104 0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe cmd.exe PID 2104 wrote to memory of 4600 2104 0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe cmd.exe PID 2104 wrote to memory of 4600 2104 0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe cmd.exe PID 4600 wrote to memory of 3380 4600 cmd.exe PING.EXE PID 4600 wrote to memory of 3380 4600 cmd.exe PING.EXE PID 4600 wrote to memory of 3380 4600 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe"C:\Users\Admin\AppData\Local\Temp\0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bab0d5af3b012cf3819353d5ce3a03d53a20c9ff4d18a18f7767a1bd1c3b8a0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3e0be8642d955b1ac4467a3bab4b7b9c
SHA11b2758cfb3503fc76b48c0f24513db28434dfd62
SHA256c11fe4078b117b2f37b7d1d705ea05bd97e71b15e0adf8e3fb4150d98675d017
SHA51251d010ee2c37066867ae88f1c7a0542b27c8b25623e880840b8f7b11454433ad93a9fd50503a9f4b142602ea9080728bba339fde2efa95367d7fbd05a46401f8
-
MD5
3e0be8642d955b1ac4467a3bab4b7b9c
SHA11b2758cfb3503fc76b48c0f24513db28434dfd62
SHA256c11fe4078b117b2f37b7d1d705ea05bd97e71b15e0adf8e3fb4150d98675d017
SHA51251d010ee2c37066867ae88f1c7a0542b27c8b25623e880840b8f7b11454433ad93a9fd50503a9f4b142602ea9080728bba339fde2efa95367d7fbd05a46401f8