Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:32
Static task
static1
Behavioral task
behavioral1
Sample
0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exe
Resource
win10v2004-en-20220113
General
-
Target
0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exe
-
Size
58KB
-
MD5
ef571c00ef21d5357d1c47cba3149835
-
SHA1
c53b7f0afcec3fefa7dff1296c685eae77032ac0
-
SHA256
0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28
-
SHA512
a03ed80b229232a538206baa9fdbb1681fed0e1bc944412219520119dd3aac4e4afaa626d21e3068680f79803c44ad919370d66a2a6dbfa51f874a6c547ee5c5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1804 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2720 svchost.exe Token: SeCreatePagefilePrivilege 2720 svchost.exe Token: SeShutdownPrivilege 2720 svchost.exe Token: SeCreatePagefilePrivilege 2720 svchost.exe Token: SeShutdownPrivilege 2720 svchost.exe Token: SeCreatePagefilePrivilege 2720 svchost.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.execmd.exedescription pid process target process PID 4316 wrote to memory of 1804 4316 0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exe MediaCenter.exe PID 4316 wrote to memory of 1804 4316 0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exe MediaCenter.exe PID 4316 wrote to memory of 1804 4316 0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exe MediaCenter.exe PID 4316 wrote to memory of 2016 4316 0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exe cmd.exe PID 4316 wrote to memory of 2016 4316 0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exe cmd.exe PID 4316 wrote to memory of 2016 4316 0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exe cmd.exe PID 2016 wrote to memory of 2760 2016 cmd.exe PING.EXE PID 2016 wrote to memory of 2760 2016 cmd.exe PING.EXE PID 2016 wrote to memory of 2760 2016 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exe"C:\Users\Admin\AppData\Local\Temp\0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0aeb9f9dc2406cfc6ad48ef574344339acadc9d57920a6c85459fe90307a0c28.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b55e2caf5e25b23c60248d4faf414356
SHA161e4d0130935aac61b76d4cdb7761b07573b80b3
SHA2563b06d353699a597909f6839090644dd52b6d4c304ca2e1744c8a999a80fe67db
SHA512eacfa46b7f5ef9fb72efe3fb5e04714986b8be771fa2c7ebfdddcd42675c1be446b838897aba2ba2c84c704df72bcffa29d7351ee2836ecdde765b833aceea33
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b55e2caf5e25b23c60248d4faf414356
SHA161e4d0130935aac61b76d4cdb7761b07573b80b3
SHA2563b06d353699a597909f6839090644dd52b6d4c304ca2e1744c8a999a80fe67db
SHA512eacfa46b7f5ef9fb72efe3fb5e04714986b8be771fa2c7ebfdddcd42675c1be446b838897aba2ba2c84c704df72bcffa29d7351ee2836ecdde765b833aceea33
-
memory/2720-132-0x00000224D9590000-0x00000224D95A0000-memory.dmpFilesize
64KB
-
memory/2720-133-0x00000224D9D60000-0x00000224D9D70000-memory.dmpFilesize
64KB
-
memory/2720-134-0x00000224DC970000-0x00000224DC974000-memory.dmpFilesize
16KB