Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:13
Static task
static1
Behavioral task
behavioral1
Sample
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe
Resource
win10v2004-en-20220113
General
-
Target
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe
-
Size
58KB
-
MD5
2f93b7cfacbf63f22cd16068713d2d4a
-
SHA1
39a6fea52817db08d95745704f2b2df716dbb30a
-
SHA256
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49
-
SHA512
e3f599c87cf9ac5fd57e9bfb52f33f57bfda35807a3b90f8e59d2bdc38affd496f05ff15671c7b7f882a16b4e2a91733033bf5d860918da14c85abd83b139a5f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4652 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1604 svchost.exe Token: SeCreatePagefilePrivilege 1604 svchost.exe Token: SeShutdownPrivilege 1604 svchost.exe Token: SeCreatePagefilePrivilege 1604 svchost.exe Token: SeShutdownPrivilege 1604 svchost.exe Token: SeCreatePagefilePrivilege 1604 svchost.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe Token: SeRestorePrivilege 4672 TiWorker.exe Token: SeSecurityPrivilege 4672 TiWorker.exe Token: SeBackupPrivilege 4672 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.execmd.exedescription pid process target process PID 4832 wrote to memory of 4652 4832 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe MediaCenter.exe PID 4832 wrote to memory of 4652 4832 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe MediaCenter.exe PID 4832 wrote to memory of 4652 4832 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe MediaCenter.exe PID 4832 wrote to memory of 4980 4832 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe cmd.exe PID 4832 wrote to memory of 4980 4832 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe cmd.exe PID 4832 wrote to memory of 4980 4832 0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe cmd.exe PID 4980 wrote to memory of 4068 4980 cmd.exe PING.EXE PID 4980 wrote to memory of 4068 4980 cmd.exe PING.EXE PID 4980 wrote to memory of 4068 4980 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe"C:\Users\Admin\AppData\Local\Temp\0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0aba897a586722cdad3dbafdf770885ec563fd5a9485dd483a7895d3360fbe49.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ad467b776079adaf3be40bba47055a0d
SHA17aaf551b867e14064761a3a5e004586a12f969b9
SHA256ce89cc50d12c04dd18517897c1e5981ebeeb7f47ef3d469564ff3df851424b19
SHA5120c0b34611590ba1fea46595f785cec72a20bbbb4b257f802cca2b85ab891b2663a36666d8b0acc5da2d38ff8a29f9fd39f48ae0f31a202de12340775ab5b2dc1
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ad467b776079adaf3be40bba47055a0d
SHA17aaf551b867e14064761a3a5e004586a12f969b9
SHA256ce89cc50d12c04dd18517897c1e5981ebeeb7f47ef3d469564ff3df851424b19
SHA5120c0b34611590ba1fea46595f785cec72a20bbbb4b257f802cca2b85ab891b2663a36666d8b0acc5da2d38ff8a29f9fd39f48ae0f31a202de12340775ab5b2dc1
-
memory/1604-132-0x000002611DB30000-0x000002611DB40000-memory.dmpFilesize
64KB
-
memory/1604-133-0x000002611DB90000-0x000002611DBA0000-memory.dmpFilesize
64KB
-
memory/1604-134-0x0000026120880000-0x0000026120884000-memory.dmpFilesize
16KB