Analysis
-
max time kernel
156s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:25
Static task
static1
Behavioral task
behavioral1
Sample
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe
Resource
win10v2004-en-20220113
General
-
Target
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe
-
Size
36KB
-
MD5
771cd073c4cefde5e8941c5465798f90
-
SHA1
c87cd7de4228958b56a8aef630868cf91f562bc2
-
SHA256
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e
-
SHA512
96b36ccdf76432e3a41187b4510ca6006463979df2b09cdee7c6ec9edaddd2edad823b1bf368bd7d1ca4c3a59a9139e1b86c670d55a44bac820918ff0fd1a90e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4180 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2104 svchost.exe Token: SeCreatePagefilePrivilege 2104 svchost.exe Token: SeShutdownPrivilege 2104 svchost.exe Token: SeCreatePagefilePrivilege 2104 svchost.exe Token: SeShutdownPrivilege 2104 svchost.exe Token: SeCreatePagefilePrivilege 2104 svchost.exe Token: SeIncBasePriorityPrivilege 4872 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeSecurityPrivilege 1360 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.execmd.exedescription pid process target process PID 4872 wrote to memory of 4180 4872 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe MediaCenter.exe PID 4872 wrote to memory of 4180 4872 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe MediaCenter.exe PID 4872 wrote to memory of 4180 4872 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe MediaCenter.exe PID 4872 wrote to memory of 4472 4872 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe cmd.exe PID 4872 wrote to memory of 4472 4872 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe cmd.exe PID 4872 wrote to memory of 4472 4872 0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe cmd.exe PID 4472 wrote to memory of 4072 4472 cmd.exe PING.EXE PID 4472 wrote to memory of 4072 4472 cmd.exe PING.EXE PID 4472 wrote to memory of 4072 4472 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe"C:\Users\Admin\AppData\Local\Temp\0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a1ccae7a9acde4fa56a706e555b8c8c64b5b28ce1e8c74d59b494800ae9c11e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
20f0f685f0571c0c3919c589bba47986
SHA149042b591e38dd47820c2ab0d3c00ee277ad04c4
SHA256752a6ea746fc9864e15300b018ac58e5cb46bf26219f732bcc2d90b3af1ea589
SHA5122a6fab43141ee424e7fadbba5bda40429b9991a227b9f43f814b0eaffed7ad2c25f3098581de8cd13587b290c15bb7dbd96b9ad5e64a664a503fd072b7e547be
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
20f0f685f0571c0c3919c589bba47986
SHA149042b591e38dd47820c2ab0d3c00ee277ad04c4
SHA256752a6ea746fc9864e15300b018ac58e5cb46bf26219f732bcc2d90b3af1ea589
SHA5122a6fab43141ee424e7fadbba5bda40429b9991a227b9f43f814b0eaffed7ad2c25f3098581de8cd13587b290c15bb7dbd96b9ad5e64a664a503fd072b7e547be
-
memory/2104-135-0x000002683D720000-0x000002683D730000-memory.dmpFilesize
64KB
-
memory/2104-136-0x000002683D780000-0x000002683D790000-memory.dmpFilesize
64KB
-
memory/2104-137-0x000002683FE40000-0x000002683FE44000-memory.dmpFilesize
16KB