Analysis
-
max time kernel
144s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:08
Static task
static1
Behavioral task
behavioral1
Sample
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe
Resource
win10v2004-en-20220113
General
-
Target
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe
-
Size
36KB
-
MD5
2ab62d4ee9cc0d442f9dc73a2471bc81
-
SHA1
19808d5626693f44f4bf049ecf1cf2cafdee3cc8
-
SHA256
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203
-
SHA512
11a37c052abecb741a253fc75e2006160307b388c8b15da1476615000c29de214a7845b72b7618d9abb63865163a4dccd403726b0b7ae03dcfdb4198ff3accce
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1880 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3332 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe Token: SeShutdownPrivilege 4476 svchost.exe Token: SeCreatePagefilePrivilege 4476 svchost.exe Token: SeShutdownPrivilege 4476 svchost.exe Token: SeCreatePagefilePrivilege 4476 svchost.exe Token: SeShutdownPrivilege 4476 svchost.exe Token: SeCreatePagefilePrivilege 4476 svchost.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe Token: SeBackupPrivilege 3476 TiWorker.exe Token: SeRestorePrivilege 3476 TiWorker.exe Token: SeSecurityPrivilege 3476 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.execmd.exedescription pid process target process PID 3332 wrote to memory of 1880 3332 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe MediaCenter.exe PID 3332 wrote to memory of 1880 3332 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe MediaCenter.exe PID 3332 wrote to memory of 1880 3332 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe MediaCenter.exe PID 3332 wrote to memory of 4224 3332 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe cmd.exe PID 3332 wrote to memory of 4224 3332 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe cmd.exe PID 3332 wrote to memory of 4224 3332 0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe cmd.exe PID 4224 wrote to memory of 5052 4224 cmd.exe PING.EXE PID 4224 wrote to memory of 5052 4224 cmd.exe PING.EXE PID 4224 wrote to memory of 5052 4224 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe"C:\Users\Admin\AppData\Local\Temp\0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0801b55ef0e87dafe962410122538d1133941949095c64839278be11e5150203.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3476
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
23714f42520e4dd81228507e7c3c1919
SHA133545e3c66dbf18ec62ef10c4f141c29ff5fb854
SHA256a75a1d000c340a439320537afb4b3544585080e612aac9018b0f49b8d3bd7328
SHA5128cbc73a1198946565745f9ce2adc6fd450d732fd5d1c6289fa8194bce709fbc460fc4083348e29f4da4713b48d4fb29b38b6ebb844fb8d9639b3756ade8d4316
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
23714f42520e4dd81228507e7c3c1919
SHA133545e3c66dbf18ec62ef10c4f141c29ff5fb854
SHA256a75a1d000c340a439320537afb4b3544585080e612aac9018b0f49b8d3bd7328
SHA5128cbc73a1198946565745f9ce2adc6fd450d732fd5d1c6289fa8194bce709fbc460fc4083348e29f4da4713b48d4fb29b38b6ebb844fb8d9639b3756ade8d4316
-
memory/4476-133-0x0000021039320000-0x0000021039330000-memory.dmpFilesize
64KB
-
memory/4476-132-0x0000021038D60000-0x0000021038D70000-memory.dmpFilesize
64KB
-
memory/4476-134-0x000002103B9D0000-0x000002103B9D4000-memory.dmpFilesize
16KB