Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:47
Static task
static1
Behavioral task
behavioral1
Sample
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe
Resource
win10v2004-en-20220113
General
-
Target
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe
-
Size
60KB
-
MD5
cc9e4097f1ae44d9319d975ae6f14781
-
SHA1
100ee70c558afa90f8dd4e4b05d76d12fcfad6e8
-
SHA256
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b
-
SHA512
55dd1ef0477b440583ff9bb0fcdcff9573fb446c948dbd4d05be6eb6eb4c74b4c4707e8fbcf04f077bc8ac927de901b85e88fdd62465f4fee4ba98a0ec47b77d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1340 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3452 svchost.exe Token: SeCreatePagefilePrivilege 3452 svchost.exe Token: SeShutdownPrivilege 3452 svchost.exe Token: SeCreatePagefilePrivilege 3452 svchost.exe Token: SeShutdownPrivilege 3452 svchost.exe Token: SeCreatePagefilePrivilege 3452 svchost.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.execmd.exedescription pid process target process PID 4856 wrote to memory of 1340 4856 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe MediaCenter.exe PID 4856 wrote to memory of 1340 4856 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe MediaCenter.exe PID 4856 wrote to memory of 1340 4856 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe MediaCenter.exe PID 4856 wrote to memory of 3460 4856 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe cmd.exe PID 4856 wrote to memory of 3460 4856 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe cmd.exe PID 4856 wrote to memory of 3460 4856 0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe cmd.exe PID 3460 wrote to memory of 4016 3460 cmd.exe PING.EXE PID 3460 wrote to memory of 4016 3460 cmd.exe PING.EXE PID 3460 wrote to memory of 4016 3460 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe"C:\Users\Admin\AppData\Local\Temp\0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ca1fae95a727150c16146f3f82e808d2a9e94e5ca55d8b0a2b2c269e86fbf8b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
69dcdf2bbfca85491c02788abe77b6c9
SHA1955a9e80d381025f81a88944669e64719f1e11c6
SHA256a6f2725558e3e834ab21fe6b281649db758005c41bdf41006410843d2fc0c44d
SHA512d523b796faed733c402b1305ad130c9939972090ebdbe186af52564e1076fe657530535edca7b7b27dd5f5d09008b2fcfb066ccfe7248b7b001900e71de8dd17
-
MD5
69dcdf2bbfca85491c02788abe77b6c9
SHA1955a9e80d381025f81a88944669e64719f1e11c6
SHA256a6f2725558e3e834ab21fe6b281649db758005c41bdf41006410843d2fc0c44d
SHA512d523b796faed733c402b1305ad130c9939972090ebdbe186af52564e1076fe657530535edca7b7b27dd5f5d09008b2fcfb066ccfe7248b7b001900e71de8dd17