Analysis
-
max time kernel
155s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:10
Static task
static1
Behavioral task
behavioral1
Sample
0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe
Resource
win10v2004-en-20220113
General
-
Target
0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe
-
Size
58KB
-
MD5
008ffc0c3dc07c1e3415de7fdb6e4bd0
-
SHA1
c9448c669a3a8f1b2043e0454fb3fb5a90c42fc8
-
SHA256
0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89
-
SHA512
aa61d9b0d1dc1bb6466e89b325be41ad63e6776b5a8cd71ee95ce2b8830517b6723e00aa95be15187b824911f47706b9ec9f2b7c776aa379382e9f40ab10cf3e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1432 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3708 svchost.exe Token: SeCreatePagefilePrivilege 3708 svchost.exe Token: SeShutdownPrivilege 3708 svchost.exe Token: SeCreatePagefilePrivilege 3708 svchost.exe Token: SeShutdownPrivilege 3708 svchost.exe Token: SeCreatePagefilePrivilege 3708 svchost.exe Token: SeIncBasePriorityPrivilege 5072 0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe Token: SeBackupPrivilege 1980 TiWorker.exe Token: SeRestorePrivilege 1980 TiWorker.exe Token: SeSecurityPrivilege 1980 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.execmd.exedescription pid process target process PID 5072 wrote to memory of 1432 5072 0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe MediaCenter.exe PID 5072 wrote to memory of 1432 5072 0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe MediaCenter.exe PID 5072 wrote to memory of 1432 5072 0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe MediaCenter.exe PID 5072 wrote to memory of 1424 5072 0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe cmd.exe PID 5072 wrote to memory of 1424 5072 0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe cmd.exe PID 5072 wrote to memory of 1424 5072 0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe cmd.exe PID 1424 wrote to memory of 4944 1424 cmd.exe PING.EXE PID 1424 wrote to memory of 4944 1424 cmd.exe PING.EXE PID 1424 wrote to memory of 4944 1424 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe"C:\Users\Admin\AppData\Local\Temp\0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ac95f2ca3b6b103fbe51811f4be47eeda7e2306da6f37f567c23fcb93549c89.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c842b0d1a5d2a9a5ff43bfb3b9a03a3d
SHA1d89b5f8aa2d858a4d5df0c6676837fcd33d4b5d8
SHA256b55b7336c296c475cc7e70b18a0122053805984175aed552bddfed087755a1ae
SHA512091fd5aa5af105ed52f4bb3500331566ff693b4ff1278b923819a0ab19bbe367e2f951e0fe541f64a8511803493d13fc861d7538b2500373c400decfe0d8461b
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c842b0d1a5d2a9a5ff43bfb3b9a03a3d
SHA1d89b5f8aa2d858a4d5df0c6676837fcd33d4b5d8
SHA256b55b7336c296c475cc7e70b18a0122053805984175aed552bddfed087755a1ae
SHA512091fd5aa5af105ed52f4bb3500331566ff693b4ff1278b923819a0ab19bbe367e2f951e0fe541f64a8511803493d13fc861d7538b2500373c400decfe0d8461b
-
memory/3708-132-0x000001B547330000-0x000001B547340000-memory.dmpFilesize
64KB
-
memory/3708-133-0x000001B547390000-0x000001B5473A0000-memory.dmpFilesize
64KB
-
memory/3708-134-0x000001B54A080000-0x000001B54A084000-memory.dmpFilesize
16KB