Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:26
Static task
static1
Behavioral task
behavioral1
Sample
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe
Resource
win10v2004-en-20220113
General
-
Target
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe
-
Size
58KB
-
MD5
779e5a9f40abfd611849509d8247c1cc
-
SHA1
b6b9a159e6321301eecbcd1188dc8919bd389be3
-
SHA256
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30
-
SHA512
980340a940003213ab8af49fdbc85771c6ae2ccac08a7e88846c9579db1f44c8db3e01df5f5a9e047e65b2be7e4c619c0277792448f86984546bebee404bb892
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2532 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2312 svchost.exe Token: SeCreatePagefilePrivilege 2312 svchost.exe Token: SeShutdownPrivilege 2312 svchost.exe Token: SeCreatePagefilePrivilege 2312 svchost.exe Token: SeShutdownPrivilege 2312 svchost.exe Token: SeCreatePagefilePrivilege 2312 svchost.exe Token: SeIncBasePriorityPrivilege 2516 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe Token: SeBackupPrivilege 2124 TiWorker.exe Token: SeRestorePrivilege 2124 TiWorker.exe Token: SeSecurityPrivilege 2124 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.execmd.exedescription pid process target process PID 2516 wrote to memory of 2532 2516 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe MediaCenter.exe PID 2516 wrote to memory of 2532 2516 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe MediaCenter.exe PID 2516 wrote to memory of 2532 2516 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe MediaCenter.exe PID 2516 wrote to memory of 64 2516 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe cmd.exe PID 2516 wrote to memory of 64 2516 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe cmd.exe PID 2516 wrote to memory of 64 2516 0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe cmd.exe PID 64 wrote to memory of 3780 64 cmd.exe PING.EXE PID 64 wrote to memory of 3780 64 cmd.exe PING.EXE PID 64 wrote to memory of 3780 64 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe"C:\Users\Admin\AppData\Local\Temp\0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a167245bd777501109d9759379d9e547e5b6d2d8344dac033d98fc58f447a30.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2124
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f435b82e34db93f61e3ad7b9c02782f4
SHA14e2b728ce294092f1ada6d6d5437affea649adea
SHA256b8c818e8811866ccc40268ca0aa151d4386cfe7c6a0ce723312d719d2f3cbd68
SHA51287148eab0e2f3611667276691e348a26175bd118d70cf5f163ff50d18232b70e7ca886df7f6cdcb492563803e457511908971f6d17de9feeae38abdcbd6d5942
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f435b82e34db93f61e3ad7b9c02782f4
SHA14e2b728ce294092f1ada6d6d5437affea649adea
SHA256b8c818e8811866ccc40268ca0aa151d4386cfe7c6a0ce723312d719d2f3cbd68
SHA51287148eab0e2f3611667276691e348a26175bd118d70cf5f163ff50d18232b70e7ca886df7f6cdcb492563803e457511908971f6d17de9feeae38abdcbd6d5942
-
memory/2312-132-0x000001F5FF530000-0x000001F5FF540000-memory.dmpFilesize
64KB
-
memory/2312-133-0x000001F5FF590000-0x000001F5FF5A0000-memory.dmpFilesize
64KB
-
memory/2312-134-0x000001F582410000-0x000001F582414000-memory.dmpFilesize
16KB