Analysis
-
max time kernel
142s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:07
Static task
static1
Behavioral task
behavioral1
Sample
0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exe
Resource
win10v2004-en-20220113
General
-
Target
0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exe
-
Size
35KB
-
MD5
733a3ce23eda3b281c986b9d6cb92f25
-
SHA1
755526034886b1c99431b169c71298131130fb02
-
SHA256
0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34
-
SHA512
23d7da5ba150321bb14ca7ce48a5679d5a1993ccb49661c1b74e7c21fe5f7edfc80e522488c460606f0c3d5a2f696a2aa3074bc94875ca5fe3ff805583f501c9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2356 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 364 svchost.exe Token: SeCreatePagefilePrivilege 364 svchost.exe Token: SeShutdownPrivilege 364 svchost.exe Token: SeCreatePagefilePrivilege 364 svchost.exe Token: SeShutdownPrivilege 364 svchost.exe Token: SeCreatePagefilePrivilege 364 svchost.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe Token: SeRestorePrivilege 4496 TiWorker.exe Token: SeSecurityPrivilege 4496 TiWorker.exe Token: SeBackupPrivilege 4496 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.execmd.exedescription pid process target process PID 1176 wrote to memory of 2356 1176 0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exe MediaCenter.exe PID 1176 wrote to memory of 2356 1176 0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exe MediaCenter.exe PID 1176 wrote to memory of 2356 1176 0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exe MediaCenter.exe PID 1176 wrote to memory of 3788 1176 0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exe cmd.exe PID 1176 wrote to memory of 3788 1176 0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exe cmd.exe PID 1176 wrote to memory of 3788 1176 0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exe cmd.exe PID 3788 wrote to memory of 3740 3788 cmd.exe PING.EXE PID 3788 wrote to memory of 3740 3788 cmd.exe PING.EXE PID 3788 wrote to memory of 3740 3788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exe"C:\Users\Admin\AppData\Local\Temp\0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ad72df95e504b19920a38b964f10a715ed9e5bc5d9179b7f2a0040a5baf9d34.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:364
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
be15a3ce56a14c5176f4317fb597dc29
SHA1109bbea35ddf3b4fd8c0c479a160477f253dd3f3
SHA2566dd34b2f5607e266643129f100144493772aef9f1f72b18cad0ef434f282c137
SHA51240eb024acf3dda229f5e7ee151209535069f3e8e8fd2107926c43ab997e374ee9ad853ff0886f4a4029fd7bd129f6866cc0b6075837f010f3fc41120b3a70b55
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
be15a3ce56a14c5176f4317fb597dc29
SHA1109bbea35ddf3b4fd8c0c479a160477f253dd3f3
SHA2566dd34b2f5607e266643129f100144493772aef9f1f72b18cad0ef434f282c137
SHA51240eb024acf3dda229f5e7ee151209535069f3e8e8fd2107926c43ab997e374ee9ad853ff0886f4a4029fd7bd129f6866cc0b6075837f010f3fc41120b3a70b55
-
memory/364-132-0x000002068FB60000-0x000002068FB70000-memory.dmpFilesize
64KB
-
memory/364-133-0x0000020690120000-0x0000020690130000-memory.dmpFilesize
64KB
-
memory/364-134-0x00000206927A0000-0x00000206927A4000-memory.dmpFilesize
16KB