Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:01
Static task
static1
Behavioral task
behavioral1
Sample
18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe
Resource
win10v2004-en-20220112
General
-
Target
18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe
-
Size
36KB
-
MD5
a8706e1e2905b556a927049b716c4e85
-
SHA1
0729083d60cd6fd0ac3e5d0f00ac5781daeec951
-
SHA256
18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1
-
SHA512
b88050f01d73b8dd3074815275ea3ea7aa065dc1ddd4d7e2d5a96bfd5882a3bfc9e728f6994a07e67f668ed884217b12c19239b5c156c0105a677470f84212f5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2472 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe -
Drops file in Windows directory 2 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4140" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.554446" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.153669" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4164" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4020 18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe Token: SeBackupPrivilege 1940 TiWorker.exe Token: SeRestorePrivilege 1940 TiWorker.exe Token: SeSecurityPrivilege 1940 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.execmd.exedescription pid process target process PID 4020 wrote to memory of 2472 4020 18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe MediaCenter.exe PID 4020 wrote to memory of 2472 4020 18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe MediaCenter.exe PID 4020 wrote to memory of 2472 4020 18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe MediaCenter.exe PID 4020 wrote to memory of 316 4020 18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe cmd.exe PID 4020 wrote to memory of 316 4020 18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe cmd.exe PID 4020 wrote to memory of 316 4020 18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe cmd.exe PID 316 wrote to memory of 2312 316 cmd.exe PING.EXE PID 316 wrote to memory of 2312 316 cmd.exe PING.EXE PID 316 wrote to memory of 2312 316 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe"C:\Users\Admin\AppData\Local\Temp\18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18cb1838712cca78768c5381ec120642f5c66b370291b258dc90cf372ad0caf1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2312
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
PID:2940
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f269ade6b260c928c77fcd12fafdcb30
SHA1aeeb2735ad8c6c7d042e8b995c8dfbf3ead2513c
SHA256311328542586022109cb0bc86d303a517df5dabb4e09522f595da0f575e63a4f
SHA51234b1c8d902144a8d4cc041a33b7a444f652e4d733ec80d15c5fddc68893dd118b6c78c3cf912d16c2c2a4281192610addc5f614cdee227243b3f6f07e65611dc
-
MD5
f269ade6b260c928c77fcd12fafdcb30
SHA1aeeb2735ad8c6c7d042e8b995c8dfbf3ead2513c
SHA256311328542586022109cb0bc86d303a517df5dabb4e09522f595da0f575e63a4f
SHA51234b1c8d902144a8d4cc041a33b7a444f652e4d733ec80d15c5fddc68893dd118b6c78c3cf912d16c2c2a4281192610addc5f614cdee227243b3f6f07e65611dc