Analysis
-
max time kernel
132s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:46
Static task
static1
Behavioral task
behavioral1
Sample
0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe
Resource
win10v2004-en-20220113
General
-
Target
0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe
-
Size
36KB
-
MD5
33acc8d3730de483c8bfc4d5025131e6
-
SHA1
115a7b632c0d6d236fd5313f5f3a4e32d6cfd1da
-
SHA256
0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8
-
SHA512
fefee9b6aa74e56cb5d120e7e76e05873eb16b0897b7b12be5e06cd00a75ea2da1a6d8b52ca64053c6b57582096cf3fbe461454220b988f977b18df4cb4537a2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2464 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exedescription pid process Token: SeShutdownPrivilege 2508 svchost.exe Token: SeCreatePagefilePrivilege 2508 svchost.exe Token: SeShutdownPrivilege 2508 svchost.exe Token: SeCreatePagefilePrivilege 2508 svchost.exe Token: SeShutdownPrivilege 2508 svchost.exe Token: SeCreatePagefilePrivilege 2508 svchost.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeIncBasePriorityPrivilege 4328 0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe Token: SeBackupPrivilege 392 TiWorker.exe Token: SeRestorePrivilege 392 TiWorker.exe Token: SeSecurityPrivilege 392 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.execmd.exedescription pid process target process PID 4328 wrote to memory of 2464 4328 0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe MediaCenter.exe PID 4328 wrote to memory of 2464 4328 0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe MediaCenter.exe PID 4328 wrote to memory of 2464 4328 0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe MediaCenter.exe PID 4328 wrote to memory of 2060 4328 0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe cmd.exe PID 4328 wrote to memory of 2060 4328 0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe cmd.exe PID 4328 wrote to memory of 2060 4328 0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe cmd.exe PID 2060 wrote to memory of 1708 2060 cmd.exe PING.EXE PID 2060 wrote to memory of 1708 2060 cmd.exe PING.EXE PID 2060 wrote to memory of 1708 2060 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe"C:\Users\Admin\AppData\Local\Temp\0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ca8c23ee5b7bd980233b98b04e23ff6a7d0379c8abafc320ff4af91586877e8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
53524196e13ea8927bd7db5258d840c0
SHA133f781466943360a27d1315d5097b15521d8e34f
SHA2560bd891862bd7bcc2a066a069ca8e1720d32af95253079b5734be2b962e4c2a7c
SHA512556d14868a277b030078295e247a3e23af83319ebffbe7208199d2b07db4be4107bd2bc7a5936befe50a75941de1c9e8cc9d4803b526b1286678a80e42a26350
-
MD5
53524196e13ea8927bd7db5258d840c0
SHA133f781466943360a27d1315d5097b15521d8e34f
SHA2560bd891862bd7bcc2a066a069ca8e1720d32af95253079b5734be2b962e4c2a7c
SHA512556d14868a277b030078295e247a3e23af83319ebffbe7208199d2b07db4be4107bd2bc7a5936befe50a75941de1c9e8cc9d4803b526b1286678a80e42a26350