Analysis
-
max time kernel
148s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:23
Static task
static1
Behavioral task
behavioral1
Sample
0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe
Resource
win10v2004-en-20220113
General
-
Target
0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe
-
Size
35KB
-
MD5
7847001149caf7233e7c17fcdc0be46e
-
SHA1
14722e852cbe2296e74bf97225a20aa92514b21a
-
SHA256
0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436
-
SHA512
b1ee93b863203b7345a4db29ef033285403a6e725d2c1d7cbd91f221284cb82f4df8a0aaf9b3c80b023ce88a3fa3eaa3d6e8c0e0d12d94e8b5475544bb8511d4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 408 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exedescription pid process Token: SeShutdownPrivilege 400 svchost.exe Token: SeCreatePagefilePrivilege 400 svchost.exe Token: SeShutdownPrivilege 400 svchost.exe Token: SeCreatePagefilePrivilege 400 svchost.exe Token: SeShutdownPrivilege 400 svchost.exe Token: SeCreatePagefilePrivilege 400 svchost.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeIncBasePriorityPrivilege 832 0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.execmd.exedescription pid process target process PID 832 wrote to memory of 408 832 0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe MediaCenter.exe PID 832 wrote to memory of 408 832 0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe MediaCenter.exe PID 832 wrote to memory of 408 832 0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe MediaCenter.exe PID 832 wrote to memory of 5036 832 0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe cmd.exe PID 832 wrote to memory of 5036 832 0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe cmd.exe PID 832 wrote to memory of 5036 832 0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe cmd.exe PID 5036 wrote to memory of 760 5036 cmd.exe PING.EXE PID 5036 wrote to memory of 760 5036 cmd.exe PING.EXE PID 5036 wrote to memory of 760 5036 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe"C:\Users\Admin\AppData\Local\Temp\0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a3eebf764bea9844c9eda82135c4de1c454ac6a8bea628661bf8e70d7f92436.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:400
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f1141f743ee514d864115d1070d95e50
SHA1a456208c2e57505ad5b45ac95cba6508c1b85415
SHA2568c50879cdc1064a9321d79375f897c572bcc2c0eb5a2e9e723f545b40fea7bcd
SHA512b3c32e177c87b4b8df4559c8a3ca5abe790295d575e24af027a2acb97867bf0ed1fe26f75fb37aed71773c263adfaff817f03e0026f5cd1aa527b2b5babfbb5d
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f1141f743ee514d864115d1070d95e50
SHA1a456208c2e57505ad5b45ac95cba6508c1b85415
SHA2568c50879cdc1064a9321d79375f897c572bcc2c0eb5a2e9e723f545b40fea7bcd
SHA512b3c32e177c87b4b8df4559c8a3ca5abe790295d575e24af027a2acb97867bf0ed1fe26f75fb37aed71773c263adfaff817f03e0026f5cd1aa527b2b5babfbb5d
-
memory/400-132-0x0000024C2C390000-0x0000024C2C3A0000-memory.dmpFilesize
64KB
-
memory/400-133-0x0000024C2CA20000-0x0000024C2CA30000-memory.dmpFilesize
64KB
-
memory/400-134-0x0000024C2F110000-0x0000024C2F114000-memory.dmpFilesize
16KB