Analysis
-
max time kernel
155s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:25
Static task
static1
Behavioral task
behavioral1
Sample
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe
Resource
win10v2004-en-20220113
General
-
Target
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe
-
Size
36KB
-
MD5
75c7d6904f37378e16f8b11a51919a0b
-
SHA1
60ab256e7c6e13812858ac55b4362d16cff82f5e
-
SHA256
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702
-
SHA512
32540a86ccb5e84f669b3de3cdad83b1b3adeedc97622157c0194312ec457ca3cb90530d5951308f0ec9ade1d7d4124b9eba9dbd7dbff966189a4804f65fb6d5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4040 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3680 svchost.exe Token: SeCreatePagefilePrivilege 3680 svchost.exe Token: SeShutdownPrivilege 3680 svchost.exe Token: SeCreatePagefilePrivilege 3680 svchost.exe Token: SeShutdownPrivilege 3680 svchost.exe Token: SeCreatePagefilePrivilege 3680 svchost.exe Token: SeIncBasePriorityPrivilege 3616 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe Token: SeBackupPrivilege 2412 TiWorker.exe Token: SeRestorePrivilege 2412 TiWorker.exe Token: SeSecurityPrivilege 2412 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.execmd.exedescription pid process target process PID 3616 wrote to memory of 4040 3616 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe MediaCenter.exe PID 3616 wrote to memory of 4040 3616 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe MediaCenter.exe PID 3616 wrote to memory of 4040 3616 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe MediaCenter.exe PID 3616 wrote to memory of 4608 3616 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe cmd.exe PID 3616 wrote to memory of 4608 3616 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe cmd.exe PID 3616 wrote to memory of 4608 3616 0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe cmd.exe PID 4608 wrote to memory of 704 4608 cmd.exe PING.EXE PID 4608 wrote to memory of 704 4608 cmd.exe PING.EXE PID 4608 wrote to memory of 704 4608 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe"C:\Users\Admin\AppData\Local\Temp\0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0da23a6c96120e84d0e5a08a9660ee962627c58aaecb64303213f79ca8af0702.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
508ba522e87a2df1cc90b325a35d00fe
SHA10e1319a7f6ee50a24a6d0750688a0b6962c6343a
SHA256f906053859251a55a8f6b6261a36bdfd68b7f85d4ae2971415f31716122ede09
SHA51213ec69067ff8b38e1e2a39386da63d8aa1a553d8092eb7ebaa7a533e3e949bb8742c633f3d56d6bcc4cd7cb48b76cca1105d1ad1589717561b9ed4e0acefb2e2
-
MD5
508ba522e87a2df1cc90b325a35d00fe
SHA10e1319a7f6ee50a24a6d0750688a0b6962c6343a
SHA256f906053859251a55a8f6b6261a36bdfd68b7f85d4ae2971415f31716122ede09
SHA51213ec69067ff8b38e1e2a39386da63d8aa1a553d8092eb7ebaa7a533e3e949bb8742c633f3d56d6bcc4cd7cb48b76cca1105d1ad1589717561b9ed4e0acefb2e2