Analysis
-
max time kernel
184s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:06
Static task
static1
Behavioral task
behavioral1
Sample
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe
Resource
win10v2004-en-20220112
General
-
Target
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe
-
Size
35KB
-
MD5
7062ce05a6f47a1782683533f4609dc5
-
SHA1
25fcf52f4af9e37baf4c7d5d5cba817a9bf8b3fd
-
SHA256
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb
-
SHA512
d15fe5fc98ab9bb9730c116f06eb1da3e22d227b8bcfef241d21fb6c27ac80ce0a8c6f5fe35a92e24c0945d0521bb39f1bb9823ed02fd64bbebee46ff0822be3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2076 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.018349" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892853008600798" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4160" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4356" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.415090" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2900 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe Token: SeBackupPrivilege 4072 TiWorker.exe Token: SeRestorePrivilege 4072 TiWorker.exe Token: SeSecurityPrivilege 4072 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.execmd.exedescription pid process target process PID 2900 wrote to memory of 2076 2900 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe MediaCenter.exe PID 2900 wrote to memory of 2076 2900 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe MediaCenter.exe PID 2900 wrote to memory of 2076 2900 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe MediaCenter.exe PID 2900 wrote to memory of 228 2900 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe cmd.exe PID 2900 wrote to memory of 228 2900 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe cmd.exe PID 2900 wrote to memory of 228 2900 188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe cmd.exe PID 228 wrote to memory of 3484 228 cmd.exe PING.EXE PID 228 wrote to memory of 3484 228 cmd.exe PING.EXE PID 228 wrote to memory of 3484 228 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe"C:\Users\Admin\AppData\Local\Temp\188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\188ebb3388b4aacfcbe7eaa25f6b0f909b1ace31577cb2a28557405c487f2beb.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3484
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4092
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
adce976204ad668aee7809e53f414413
SHA1b33eb69dc4785ae20f4b139fb11e785b7592a692
SHA256f51817e2ace2c7ae861c229d7e8a80c89eb3f4311a205700a699d3b3747a9f29
SHA512d66a04a93f905513d01df77632ae0cf9e60a475201907aab7f92e607770f49b30821cc278f3244d8ac20f93b792f3e13433fd1c3876fc4f8bab7df2f342ce6b2
-
MD5
adce976204ad668aee7809e53f414413
SHA1b33eb69dc4785ae20f4b139fb11e785b7592a692
SHA256f51817e2ace2c7ae861c229d7e8a80c89eb3f4311a205700a699d3b3747a9f29
SHA512d66a04a93f905513d01df77632ae0cf9e60a475201907aab7f92e607770f49b30821cc278f3244d8ac20f93b792f3e13433fd1c3876fc4f8bab7df2f342ce6b2