Analysis
-
max time kernel
145s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:09
Static task
static1
Behavioral task
behavioral1
Sample
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe
Resource
win10v2004-en-20220113
General
-
Target
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe
-
Size
58KB
-
MD5
f83736426c098b434998d717bb2ff9a1
-
SHA1
e71e33ffdc1887c3c4bf658d0fe5792b82dcda9c
-
SHA256
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc
-
SHA512
9e1ffdb1b9bc1a09b82c2c265c0b2c538ad0c3687922a93dedb4f278384e60e4bf0641b18b61226006ee3aaa21098741515598998187abd1651897709342c816
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4084 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4448 svchost.exe Token: SeCreatePagefilePrivilege 4448 svchost.exe Token: SeShutdownPrivilege 4448 svchost.exe Token: SeCreatePagefilePrivilege 4448 svchost.exe Token: SeShutdownPrivilege 4448 svchost.exe Token: SeCreatePagefilePrivilege 4448 svchost.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe Token: SeRestorePrivilege 320 TiWorker.exe Token: SeSecurityPrivilege 320 TiWorker.exe Token: SeBackupPrivilege 320 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.execmd.exedescription pid process target process PID 1264 wrote to memory of 4084 1264 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe MediaCenter.exe PID 1264 wrote to memory of 4084 1264 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe MediaCenter.exe PID 1264 wrote to memory of 4084 1264 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe MediaCenter.exe PID 1264 wrote to memory of 4648 1264 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe cmd.exe PID 1264 wrote to memory of 4648 1264 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe cmd.exe PID 1264 wrote to memory of 4648 1264 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe cmd.exe PID 4648 wrote to memory of 1700 4648 cmd.exe PING.EXE PID 4648 wrote to memory of 1700 4648 cmd.exe PING.EXE PID 4648 wrote to memory of 1700 4648 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe"C:\Users\Admin\AppData\Local\Temp\0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
40d3aa709dde6a7235125a689881b736
SHA1cc8b87b790d425160edfd310f553daadc56675eb
SHA2569cc8824b6cb2989e04e8d7fbf69de927a841048ba0437d69478ec4da2c6679da
SHA512e12e6055a3edb93729215e3933a8352e4f793dc1d9b0fb38230d0ae56335805e25ba5c89e584d6e60f3b884542b07bf204d15674b24f777beda157f6556a8cdc
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
40d3aa709dde6a7235125a689881b736
SHA1cc8b87b790d425160edfd310f553daadc56675eb
SHA2569cc8824b6cb2989e04e8d7fbf69de927a841048ba0437d69478ec4da2c6679da
SHA512e12e6055a3edb93729215e3933a8352e4f793dc1d9b0fb38230d0ae56335805e25ba5c89e584d6e60f3b884542b07bf204d15674b24f777beda157f6556a8cdc
-
memory/4448-132-0x00000241A6790000-0x00000241A67A0000-memory.dmpFilesize
64KB
-
memory/4448-133-0x00000241A6E20000-0x00000241A6E30000-memory.dmpFilesize
64KB
-
memory/4448-134-0x00000241A9510000-0x00000241A9514000-memory.dmpFilesize
16KB