Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:01
Static task
static1
Behavioral task
behavioral1
Sample
18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe
Resource
win10v2004-en-20220112
General
-
Target
18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe
-
Size
58KB
-
MD5
b6282f0a881e6c9eb3fdb0b9521536b1
-
SHA1
857c90acdf687847a8c5c90798f38fac88cd28c7
-
SHA256
18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6
-
SHA512
0405d417524b5938cccb71f2163c38685c45325baeff52ce6c0b50847d99a155d5f98d0a09d9e1f8f21d2e018636d9ae83e7d86d09cf84573bf03ca3459b641c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3548 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exeMusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4268" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892849888287266" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "33.364509" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.333106" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.017256" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2236 18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe Token: SeBackupPrivilege 3532 TiWorker.exe Token: SeRestorePrivilege 3532 TiWorker.exe Token: SeSecurityPrivilege 3532 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.execmd.exedescription pid process target process PID 2236 wrote to memory of 3548 2236 18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe MediaCenter.exe PID 2236 wrote to memory of 3548 2236 18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe MediaCenter.exe PID 2236 wrote to memory of 3548 2236 18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe MediaCenter.exe PID 2236 wrote to memory of 2996 2236 18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe cmd.exe PID 2236 wrote to memory of 2996 2236 18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe cmd.exe PID 2236 wrote to memory of 2996 2236 18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe cmd.exe PID 2996 wrote to memory of 3268 2996 cmd.exe PING.EXE PID 2996 wrote to memory of 3268 2996 cmd.exe PING.EXE PID 2996 wrote to memory of 3268 2996 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe"C:\Users\Admin\AppData\Local\Temp\18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18c6310f399c5835efcecaca77ac49749bfe7e1c3535bb3eb9cc3b0496b169d6.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3268
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:644
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3384
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ee54ab0d7edb78323767b11786ca9264
SHA17f08a776b8d9aa034d73c3d2417a7c791a78e641
SHA25621d2b7b2c3112609a9b15da09e1d540efbc1fc94e57fd65938563a8e3af6c90f
SHA5121250da5d2834fbeef60dcfaac8ba592d51fac888da9a1772dececa447790abf2d9b01064cb6f7909f1e65f5a3e6b74a708623f4c7f8c32aab8c024c839046d43
-
MD5
ee54ab0d7edb78323767b11786ca9264
SHA17f08a776b8d9aa034d73c3d2417a7c791a78e641
SHA25621d2b7b2c3112609a9b15da09e1d540efbc1fc94e57fd65938563a8e3af6c90f
SHA5121250da5d2834fbeef60dcfaac8ba592d51fac888da9a1772dececa447790abf2d9b01064cb6f7909f1e65f5a3e6b74a708623f4c7f8c32aab8c024c839046d43