Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:17
Static task
static1
Behavioral task
behavioral1
Sample
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe
Resource
win10v2004-en-20220113
General
-
Target
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe
-
Size
36KB
-
MD5
08817fc7b360a66e5365bf1bbbf6cc6b
-
SHA1
31b79a0f148e4742b7cfadd81b54d0e3619b857d
-
SHA256
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e
-
SHA512
0a8c8beceb88ba590789f92ec3d33892e2a10841adb06c85782a3c2fb6be295f3a54e4e8172af721811a2dab001dbf7a3a924e3c42f2c2aacb9f152177027409
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2468 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1948 svchost.exe Token: SeCreatePagefilePrivilege 1948 svchost.exe Token: SeShutdownPrivilege 1948 svchost.exe Token: SeCreatePagefilePrivilege 1948 svchost.exe Token: SeShutdownPrivilege 1948 svchost.exe Token: SeCreatePagefilePrivilege 1948 svchost.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe Token: SeRestorePrivilege 3176 TiWorker.exe Token: SeSecurityPrivilege 3176 TiWorker.exe Token: SeBackupPrivilege 3176 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.execmd.exedescription pid process target process PID 3208 wrote to memory of 2468 3208 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe MediaCenter.exe PID 3208 wrote to memory of 2468 3208 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe MediaCenter.exe PID 3208 wrote to memory of 2468 3208 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe MediaCenter.exe PID 3208 wrote to memory of 1356 3208 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe cmd.exe PID 3208 wrote to memory of 1356 3208 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe cmd.exe PID 3208 wrote to memory of 1356 3208 0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe cmd.exe PID 1356 wrote to memory of 1984 1356 cmd.exe PING.EXE PID 1356 wrote to memory of 1984 1356 cmd.exe PING.EXE PID 1356 wrote to memory of 1984 1356 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe"C:\Users\Admin\AppData\Local\Temp\0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a89369964a57668452c296ba89eacca95f3f629bf766cc1bf077536e138790e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3176
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ee04d19619e684eaaf24132a5c61b69a
SHA186103ba36a57da2c866ce74fd9a9ffa9c1db88a7
SHA256d6e8f30cab954c2788bdc69ea42c83154e4ff6a3d0b9724c3e64f73c325307d6
SHA5124459cb66437dd2380ad2b2983e8a1839c91996c2d0a993e88caf65b3f211c56a121627b5c773763573fc622532371a1693689ccf2844e72f7812a4d8f70d85e3
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ee04d19619e684eaaf24132a5c61b69a
SHA186103ba36a57da2c866ce74fd9a9ffa9c1db88a7
SHA256d6e8f30cab954c2788bdc69ea42c83154e4ff6a3d0b9724c3e64f73c325307d6
SHA5124459cb66437dd2380ad2b2983e8a1839c91996c2d0a993e88caf65b3f211c56a121627b5c773763573fc622532371a1693689ccf2844e72f7812a4d8f70d85e3
-
memory/1948-132-0x00000193E0DA0000-0x00000193E0DB0000-memory.dmpFilesize
64KB
-
memory/1948-133-0x00000193E1420000-0x00000193E1430000-memory.dmpFilesize
64KB
-
memory/1948-134-0x00000193E3B20000-0x00000193E3B24000-memory.dmpFilesize
16KB