Analysis
-
max time kernel
151s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:25
Static task
static1
Behavioral task
behavioral1
Sample
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe
Resource
win10v2004-en-20220113
General
-
Target
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe
-
Size
36KB
-
MD5
dc7f4d7a276fde3aecb0c3995f694a73
-
SHA1
aeee2439fc0ca222378074fd475d670c9c507c95
-
SHA256
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1
-
SHA512
275cd3183613410cf2dc28571cce1561169729a9007b02e3fb29e7ac06d1621d60fab7d2141edd60361094b4f3ff275592a6cc22212388442f86bb71125fe920
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4752 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 5044 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe Token: SeShutdownPrivilege 3524 svchost.exe Token: SeCreatePagefilePrivilege 3524 svchost.exe Token: SeShutdownPrivilege 3524 svchost.exe Token: SeCreatePagefilePrivilege 3524 svchost.exe Token: SeShutdownPrivilege 3524 svchost.exe Token: SeCreatePagefilePrivilege 3524 svchost.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe Token: SeBackupPrivilege 3068 TiWorker.exe Token: SeRestorePrivilege 3068 TiWorker.exe Token: SeSecurityPrivilege 3068 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.execmd.exedescription pid process target process PID 5044 wrote to memory of 4752 5044 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe MediaCenter.exe PID 5044 wrote to memory of 4752 5044 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe MediaCenter.exe PID 5044 wrote to memory of 4752 5044 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe MediaCenter.exe PID 5044 wrote to memory of 2844 5044 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe cmd.exe PID 5044 wrote to memory of 2844 5044 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe cmd.exe PID 5044 wrote to memory of 2844 5044 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe cmd.exe PID 2844 wrote to memory of 3556 2844 cmd.exe PING.EXE PID 2844 wrote to memory of 3556 2844 cmd.exe PING.EXE PID 2844 wrote to memory of 3556 2844 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe"C:\Users\Admin\AppData\Local\Temp\0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f901ae970fc4016a0abaf23d68b30829
SHA1abee2ea842f04359da7171bcfc0d77cc3bd7f018
SHA256748f6bfb32eea5f545462344de7f83d0f6e48d77732bf6cf741546b4c7de2ad9
SHA5120319683c02145ab283e83ae073249da35ee024070a7dd70c829f552e82f0878ed9974c4fe3d3962ad3c6256eaf2158e65699ae00d512d0ddf2ab1b14cd9fa22b
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f901ae970fc4016a0abaf23d68b30829
SHA1abee2ea842f04359da7171bcfc0d77cc3bd7f018
SHA256748f6bfb32eea5f545462344de7f83d0f6e48d77732bf6cf741546b4c7de2ad9
SHA5120319683c02145ab283e83ae073249da35ee024070a7dd70c829f552e82f0878ed9974c4fe3d3962ad3c6256eaf2158e65699ae00d512d0ddf2ab1b14cd9fa22b
-
memory/3524-132-0x000002C54CDA0000-0x000002C54CDB0000-memory.dmpFilesize
64KB
-
memory/3524-133-0x000002C54D420000-0x000002C54D430000-memory.dmpFilesize
64KB
-
memory/3524-134-0x000002C54FB20000-0x000002C54FB24000-memory.dmpFilesize
16KB