Analysis
-
max time kernel
149s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:08
Static task
static1
Behavioral task
behavioral1
Sample
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe
Resource
win10v2004-en-20220113
General
-
Target
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe
-
Size
35KB
-
MD5
d2fde83fbe3ac5c848ccd16046492b0a
-
SHA1
5f8f9d67530d54cb6471f2815b54b9c5eb56394c
-
SHA256
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415
-
SHA512
6c1b016819636c4ef3cd0df0319675f04e633097881cb44f3e87610d9f1051e5cce5e3517c6fafca2cd7c9aa12d6bbf0fdf07dd6e5ad316c96e004ca4bb06cbc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1844 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3156 svchost.exe Token: SeCreatePagefilePrivilege 3156 svchost.exe Token: SeShutdownPrivilege 3156 svchost.exe Token: SeCreatePagefilePrivilege 3156 svchost.exe Token: SeShutdownPrivilege 3156 svchost.exe Token: SeCreatePagefilePrivilege 3156 svchost.exe Token: SeIncBasePriorityPrivilege 1940 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe Token: SeBackupPrivilege 4112 TiWorker.exe Token: SeRestorePrivilege 4112 TiWorker.exe Token: SeSecurityPrivilege 4112 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.execmd.exedescription pid process target process PID 1940 wrote to memory of 1844 1940 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe MediaCenter.exe PID 1940 wrote to memory of 1844 1940 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe MediaCenter.exe PID 1940 wrote to memory of 1844 1940 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe MediaCenter.exe PID 1940 wrote to memory of 816 1940 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe cmd.exe PID 1940 wrote to memory of 816 1940 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe cmd.exe PID 1940 wrote to memory of 816 1940 0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe cmd.exe PID 816 wrote to memory of 4172 816 cmd.exe PING.EXE PID 816 wrote to memory of 4172 816 cmd.exe PING.EXE PID 816 wrote to memory of 4172 816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe"C:\Users\Admin\AppData\Local\Temp\0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ba030eb38f1b4dafb7ed3b35501c76d8d29688ce72451b46460b0d831ea5415.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4a7c5d8f54e7fcec16cc56a9059bf2b4
SHA1feebf5f63baf7752cadd43232cd7e92d7a0ec310
SHA2568c0407c32a2005dafcb2f4eabd061e0e99410dc54ebde4cae17f4a1d1d013e41
SHA51296d03127521886d289c9e4dbae9055209e371f9f2a9da5a3f9b3fa7413d10b728d06b227b03b1026cfff6deb150a73f8b00c87ab9def4fa4704a46656e31e51e
-
MD5
4a7c5d8f54e7fcec16cc56a9059bf2b4
SHA1feebf5f63baf7752cadd43232cd7e92d7a0ec310
SHA2568c0407c32a2005dafcb2f4eabd061e0e99410dc54ebde4cae17f4a1d1d013e41
SHA51296d03127521886d289c9e4dbae9055209e371f9f2a9da5a3f9b3fa7413d10b728d06b227b03b1026cfff6deb150a73f8b00c87ab9def4fa4704a46656e31e51e