Analysis
-
max time kernel
145s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:16
Static task
static1
Behavioral task
behavioral1
Sample
0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exe
Resource
win10v2004-en-20220113
General
-
Target
0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exe
-
Size
58KB
-
MD5
d9530c2cb7834456efde6bb8b67a7fb6
-
SHA1
c162f37633ba06bedf2925eb584fa5f35b8cb905
-
SHA256
0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d
-
SHA512
424532ee1b662d6b84c0666cb7b280981b006041e3526065d2605716cce982be2644d0b4b2510971f387419198680aff1e069a07c6a1b8cef2ca51dfecc78dac
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4472 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1272 svchost.exe Token: SeCreatePagefilePrivilege 1272 svchost.exe Token: SeShutdownPrivilege 1272 svchost.exe Token: SeCreatePagefilePrivilege 1272 svchost.exe Token: SeShutdownPrivilege 1272 svchost.exe Token: SeCreatePagefilePrivilege 1272 svchost.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.execmd.exedescription pid process target process PID 2760 wrote to memory of 4472 2760 0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exe MediaCenter.exe PID 2760 wrote to memory of 4472 2760 0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exe MediaCenter.exe PID 2760 wrote to memory of 4472 2760 0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exe MediaCenter.exe PID 2760 wrote to memory of 648 2760 0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exe cmd.exe PID 2760 wrote to memory of 648 2760 0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exe cmd.exe PID 2760 wrote to memory of 648 2760 0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exe cmd.exe PID 648 wrote to memory of 1208 648 cmd.exe PING.EXE PID 648 wrote to memory of 1208 648 cmd.exe PING.EXE PID 648 wrote to memory of 1208 648 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exe"C:\Users\Admin\AppData\Local\Temp\0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a8cbd0f1ea43fce67c368c5a7b5553b0df349af14ac859e249116d57d5f3c9d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4868b8d3501a4815ec7b178073d31854
SHA14c7c700577f90dd9d3f52b6eeb32a3e1b61cfb3c
SHA25677a1263e567a04babe18e3b292e24e37c8e0e7699b989e938fd8d8a30b412512
SHA512ee7fa89ce98515171eb31f737f4a96d5b8bfefe5f31b936eb9121580a4854027420bb555a5b6c9c581eda0373c18687ba29561c6f1a2bceda1be77ba02e4736d
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4868b8d3501a4815ec7b178073d31854
SHA14c7c700577f90dd9d3f52b6eeb32a3e1b61cfb3c
SHA25677a1263e567a04babe18e3b292e24e37c8e0e7699b989e938fd8d8a30b412512
SHA512ee7fa89ce98515171eb31f737f4a96d5b8bfefe5f31b936eb9121580a4854027420bb555a5b6c9c581eda0373c18687ba29561c6f1a2bceda1be77ba02e4736d
-
memory/1272-132-0x0000024899790000-0x00000248997A0000-memory.dmpFilesize
64KB
-
memory/1272-133-0x0000024899E20000-0x0000024899E30000-memory.dmpFilesize
64KB
-
memory/1272-134-0x000002489C510000-0x000002489C514000-memory.dmpFilesize
16KB