Analysis
-
max time kernel
161s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 02:58
Static task
static1
Behavioral task
behavioral1
Sample
18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe
Resource
win10v2004-en-20220112
General
-
Target
18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe
-
Size
58KB
-
MD5
fd9dc5b8fa418f96c34d31639851ed29
-
SHA1
1375a117559a9e6c8db10555f77c43f0501d8837
-
SHA256
18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d
-
SHA512
834331b80daaa3fea4a66eade9c020d754a1923cc8c8164422c44d7a77302a295b52dcd931ba19f76f9e73f92358e4c4f1f293e489bb8fd700f7f0db091142df
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1648 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4156" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006606" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.248968" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4088" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892847836273617" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4352" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.465387" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4368" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exedescription pid process Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeIncBasePriorityPrivilege 2556 18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe Token: SeBackupPrivilege 2196 TiWorker.exe Token: SeRestorePrivilege 2196 TiWorker.exe Token: SeSecurityPrivilege 2196 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.execmd.exedescription pid process target process PID 2556 wrote to memory of 1648 2556 18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe MediaCenter.exe PID 2556 wrote to memory of 1648 2556 18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe MediaCenter.exe PID 2556 wrote to memory of 1648 2556 18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe MediaCenter.exe PID 2556 wrote to memory of 3640 2556 18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe cmd.exe PID 2556 wrote to memory of 3640 2556 18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe cmd.exe PID 2556 wrote to memory of 3640 2556 18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe cmd.exe PID 3640 wrote to memory of 3216 3640 cmd.exe PING.EXE PID 3640 wrote to memory of 3216 3640 cmd.exe PING.EXE PID 3640 wrote to memory of 3216 3640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe"C:\Users\Admin\AppData\Local\Temp\18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18e723d7990c3e4db6e8376064f7bff494754ace03f104c58a0ca18f83ac252d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3216
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1364
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1416
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2196
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fee7e7ca29e6db9eaad30a229114b05a
SHA115fb92e29ac525f3fb08048d51153e437664512e
SHA25640a8aba1fde5419f5d7e52d153456a8d162d81ca31db03f4769415d59d3ad093
SHA512922a60b9bc3e8c22bb8c4c5f2737940df7af4feb4e1ee03483c66f802e83ddc35041cf91debf3863c2970ca8b689f21931d3c7a5764c9c260e6ef11629166eab
-
MD5
fee7e7ca29e6db9eaad30a229114b05a
SHA115fb92e29ac525f3fb08048d51153e437664512e
SHA25640a8aba1fde5419f5d7e52d153456a8d162d81ca31db03f4769415d59d3ad093
SHA512922a60b9bc3e8c22bb8c4c5f2737940df7af4feb4e1ee03483c66f802e83ddc35041cf91debf3863c2970ca8b689f21931d3c7a5764c9c260e6ef11629166eab