Analysis
-
max time kernel
148s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:00
Static task
static1
Behavioral task
behavioral1
Sample
18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe
Resource
win10v2004-en-20220112
General
-
Target
18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe
-
Size
58KB
-
MD5
2111837035b997e7bcb417a242fc3b16
-
SHA1
606d764a52da53475732a7d7189b0594162a10b1
-
SHA256
18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b
-
SHA512
7f784c64ac97cd86c997348a1e93db48cc44934e1543d1b78aa4a539509e628790f390b5651d9157ea7c7e006498b221976f5342263013e6a407c555cdcc78aa
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1016 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4344" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4140" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.877197" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.250221" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892849030166935" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2244 18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe Token: SeBackupPrivilege 3308 TiWorker.exe Token: SeRestorePrivilege 3308 TiWorker.exe Token: SeSecurityPrivilege 3308 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.execmd.exedescription pid process target process PID 2244 wrote to memory of 1016 2244 18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe MediaCenter.exe PID 2244 wrote to memory of 1016 2244 18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe MediaCenter.exe PID 2244 wrote to memory of 1016 2244 18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe MediaCenter.exe PID 2244 wrote to memory of 3572 2244 18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe cmd.exe PID 2244 wrote to memory of 3572 2244 18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe cmd.exe PID 2244 wrote to memory of 3572 2244 18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe cmd.exe PID 3572 wrote to memory of 3424 3572 cmd.exe PING.EXE PID 3572 wrote to memory of 3424 3572 cmd.exe PING.EXE PID 3572 wrote to memory of 3424 3572 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe"C:\Users\Admin\AppData\Local\Temp\18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18d00f31780680c6e04601ab004172d938e9f4017fa4f29fcfe6101e05ac334b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3424
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3572
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:408
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
be2076c454fa7eb2c86a477fcb83c602
SHA1f8504a3de0efbadcc884e6d57da77e5710ca4925
SHA25654113a782e1322f76508c92e0a743e9be6a2dd8b81c0cc6b453a954ca2d408a8
SHA512b3f1cb0559c8c6fd0fcde6cf4c63ebd5fd4df3f6ea4371a5263a476ee38ae6bd94b2c375b00e878314311cb3aefaf03917f16d84e41605936b7f59300cf513bc
-
MD5
be2076c454fa7eb2c86a477fcb83c602
SHA1f8504a3de0efbadcc884e6d57da77e5710ca4925
SHA25654113a782e1322f76508c92e0a743e9be6a2dd8b81c0cc6b453a954ca2d408a8
SHA512b3f1cb0559c8c6fd0fcde6cf4c63ebd5fd4df3f6ea4371a5263a476ee38ae6bd94b2c375b00e878314311cb3aefaf03917f16d84e41605936b7f59300cf513bc