Analysis
-
max time kernel
147s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:36
Static task
static1
Behavioral task
behavioral1
Sample
173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe
Resource
win10v2004-en-20220112
General
-
Target
173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe
-
Size
60KB
-
MD5
99ec4574c74cf455f584bf0ea6f81c78
-
SHA1
b8e894d3818ce77e6707a4859b07947ee4bbe72a
-
SHA256
173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950
-
SHA512
66d044c48545379be71795da7c4f10da6c1c4be61de9941379b4f61166316013b8d512e897aff1cfe02f359c7d40f2d633a83f9459047fb15d71f25e1433593b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3892 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3952" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006736" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892869982243773" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.948055" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.812228" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4192" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4408" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exedescription pid process Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeIncBasePriorityPrivilege 3796 173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe Token: SeBackupPrivilege 1832 TiWorker.exe Token: SeRestorePrivilege 1832 TiWorker.exe Token: SeSecurityPrivilege 1832 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.execmd.exedescription pid process target process PID 3796 wrote to memory of 3892 3796 173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe MediaCenter.exe PID 3796 wrote to memory of 3892 3796 173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe MediaCenter.exe PID 3796 wrote to memory of 3892 3796 173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe MediaCenter.exe PID 3796 wrote to memory of 3344 3796 173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe cmd.exe PID 3796 wrote to memory of 3344 3796 173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe cmd.exe PID 3796 wrote to memory of 3344 3796 173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe cmd.exe PID 3344 wrote to memory of 2792 3344 cmd.exe PING.EXE PID 3344 wrote to memory of 2792 3344 cmd.exe PING.EXE PID 3344 wrote to memory of 2792 3344 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe"C:\Users\Admin\AppData\Local\Temp\173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\173870c436ec833d06af153e9ad054fbaed6b2a7c096972e9b992de09b826950.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2792
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3800
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3436
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7011b507f0ecde4c79fac5ceea13473f
SHA1aa6bfcf72e0d484380e1ce12592cc34dcb8122f1
SHA256a4092357a168ad556e2dcaad3089a355f46de67a52560f85c692022b0aae4b1b
SHA5125ef0f06f072d154f11f374a49209c8dacaadf17a7ad214e4ecfbdb9184a4d53f1bb82142a20976884049a22751cc9729b9c12b202fa72399f9ce45ca1dab15b1
-
MD5
7011b507f0ecde4c79fac5ceea13473f
SHA1aa6bfcf72e0d484380e1ce12592cc34dcb8122f1
SHA256a4092357a168ad556e2dcaad3089a355f46de67a52560f85c692022b0aae4b1b
SHA5125ef0f06f072d154f11f374a49209c8dacaadf17a7ad214e4ecfbdb9184a4d53f1bb82142a20976884049a22751cc9729b9c12b202fa72399f9ce45ca1dab15b1