Analysis
-
max time kernel
130s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:12
Static task
static1
Behavioral task
behavioral1
Sample
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe
Resource
win10v2004-en-20220113
General
-
Target
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe
-
Size
58KB
-
MD5
46f85d5d90fef1f1cb61f09c21cb1114
-
SHA1
b250af1a1048abd46b97b255c7c492223e8b42fe
-
SHA256
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a
-
SHA512
92a23641d45519281ee92f1fa4c972e4bc2354de6c3eb31b6e50b60106ad8ceb06990f57a6112109f85b80ef3539795c2efa3acb0ea3e4640df9b31a0a8fdaa1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 376 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1852 svchost.exe Token: SeCreatePagefilePrivilege 1852 svchost.exe Token: SeShutdownPrivilege 1852 svchost.exe Token: SeCreatePagefilePrivilege 1852 svchost.exe Token: SeShutdownPrivilege 1852 svchost.exe Token: SeCreatePagefilePrivilege 1852 svchost.exe Token: SeIncBasePriorityPrivilege 4400 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe Token: SeBackupPrivilege 64 TiWorker.exe Token: SeRestorePrivilege 64 TiWorker.exe Token: SeSecurityPrivilege 64 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.execmd.exedescription pid process target process PID 4400 wrote to memory of 376 4400 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe MediaCenter.exe PID 4400 wrote to memory of 376 4400 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe MediaCenter.exe PID 4400 wrote to memory of 376 4400 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe MediaCenter.exe PID 4400 wrote to memory of 4580 4400 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe cmd.exe PID 4400 wrote to memory of 4580 4400 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe cmd.exe PID 4400 wrote to memory of 4580 4400 0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe cmd.exe PID 4580 wrote to memory of 1408 4580 cmd.exe PING.EXE PID 4580 wrote to memory of 1408 4580 cmd.exe PING.EXE PID 4580 wrote to memory of 1408 4580 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe"C:\Users\Admin\AppData\Local\Temp\0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0abcb7beab9201ec7f5a3d1284ec8bb9ddea3508b4492eef5a4ad4d3d7b6c91a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:64
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6b330ff651ad0dbf883c56c931340729
SHA10e8ac2dccbd762d31c2fffcf0602abeac8af8468
SHA256d4e8127bc30e7ba0cccf6407676960df12f18ffb28060ad132f8ad8c98226181
SHA512d44dd7183854a69f337353a19b3541d6ac27d8d5bf172eb343f8774e0754b2d280f22f85ea4706bf27bec3a09fab198a5ea049272694b2991a2d7fbfcde36df9
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6b330ff651ad0dbf883c56c931340729
SHA10e8ac2dccbd762d31c2fffcf0602abeac8af8468
SHA256d4e8127bc30e7ba0cccf6407676960df12f18ffb28060ad132f8ad8c98226181
SHA512d44dd7183854a69f337353a19b3541d6ac27d8d5bf172eb343f8774e0754b2d280f22f85ea4706bf27bec3a09fab198a5ea049272694b2991a2d7fbfcde36df9
-
memory/1852-132-0x0000019614560000-0x0000019614570000-memory.dmpFilesize
64KB
-
memory/1852-133-0x0000019614B20000-0x0000019614B30000-memory.dmpFilesize
64KB
-
memory/1852-134-0x00000196171D0000-0x00000196171D4000-memory.dmpFilesize
16KB