Analysis
-
max time kernel
141s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:27
Static task
static1
Behavioral task
behavioral1
Sample
0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe
Resource
win10v2004-en-20220113
General
-
Target
0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe
-
Size
58KB
-
MD5
afdc559d0f89548298be15d76ff79e1f
-
SHA1
288376c8af963519c4271bb20b186736a1efba9f
-
SHA256
0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a
-
SHA512
601ab9249c72d1c5f062f3d1c69a7ce5fd4930ca9a42b8bf014e840beaa681dfe26678a8d03d360e331a8fb8adaf4e69513c01f83637e6ed8764deec7bb889a2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4220 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exedescription pid process Token: SeShutdownPrivilege 3284 svchost.exe Token: SeCreatePagefilePrivilege 3284 svchost.exe Token: SeShutdownPrivilege 3284 svchost.exe Token: SeCreatePagefilePrivilege 3284 svchost.exe Token: SeShutdownPrivilege 3284 svchost.exe Token: SeCreatePagefilePrivilege 3284 svchost.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeIncBasePriorityPrivilege 4488 0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe Token: SeBackupPrivilege 2360 TiWorker.exe Token: SeRestorePrivilege 2360 TiWorker.exe Token: SeSecurityPrivilege 2360 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.execmd.exedescription pid process target process PID 4488 wrote to memory of 4220 4488 0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe MediaCenter.exe PID 4488 wrote to memory of 4220 4488 0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe MediaCenter.exe PID 4488 wrote to memory of 4220 4488 0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe MediaCenter.exe PID 4488 wrote to memory of 2192 4488 0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe cmd.exe PID 4488 wrote to memory of 2192 4488 0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe cmd.exe PID 4488 wrote to memory of 2192 4488 0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe cmd.exe PID 2192 wrote to memory of 424 2192 cmd.exe PING.EXE PID 2192 wrote to memory of 424 2192 cmd.exe PING.EXE PID 2192 wrote to memory of 424 2192 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe"C:\Users\Admin\AppData\Local\Temp\0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a07ef5e2d80a34e0d89285bfc05ce179a24f0df1db25cc9fa70b3e2aeeea55a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
96f31eed45bd3d1cb8a258920b243972
SHA14408d8ce9d92d3776aaa28fbb487447606c493bb
SHA2561c3b2d7d198a7f3f59fcb93503f78729ba56408b0039675da549a0d2f5d58581
SHA512b3ab3e1e5f0aecbae4b32661bde53bd0b514d367ddbf379799d440e7438bc9ae002ea03d15e6d8feb85d727e305cf43b0b8f20e4ecdaae43dd8ce8770309b8c5
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
96f31eed45bd3d1cb8a258920b243972
SHA14408d8ce9d92d3776aaa28fbb487447606c493bb
SHA2561c3b2d7d198a7f3f59fcb93503f78729ba56408b0039675da549a0d2f5d58581
SHA512b3ab3e1e5f0aecbae4b32661bde53bd0b514d367ddbf379799d440e7438bc9ae002ea03d15e6d8feb85d727e305cf43b0b8f20e4ecdaae43dd8ce8770309b8c5
-
memory/3284-132-0x000001C516970000-0x000001C516980000-memory.dmpFilesize
64KB
-
memory/3284-133-0x000001C516F20000-0x000001C516F30000-memory.dmpFilesize
64KB
-
memory/3284-134-0x000001C5195F0000-0x000001C5195F4000-memory.dmpFilesize
16KB