Analysis
-
max time kernel
150s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:26
Static task
static1
Behavioral task
behavioral1
Sample
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe
Resource
win10v2004-en-20220112
General
-
Target
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe
-
Size
58KB
-
MD5
d0924fccc9d672b68dfced05e98d367e
-
SHA1
95bf3ce4937ca2c5b90f6aba9e0f135b46d00b38
-
SHA256
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57
-
SHA512
6b9911f1c6916c179d72a03e9053a81f29a9a01bbf629047a97092e97f7f0546fcb8e0a482e60a6da698debd82c2c0a384e38f196a8e7f46c65f0c60838b93e6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2068 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 45 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892901485822602" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.235294" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3664 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.execmd.exedescription pid process target process PID 3664 wrote to memory of 2068 3664 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe MediaCenter.exe PID 3664 wrote to memory of 2068 3664 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe MediaCenter.exe PID 3664 wrote to memory of 2068 3664 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe MediaCenter.exe PID 3664 wrote to memory of 2928 3664 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe cmd.exe PID 3664 wrote to memory of 2928 3664 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe cmd.exe PID 3664 wrote to memory of 2928 3664 154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe cmd.exe PID 2928 wrote to memory of 3176 2928 cmd.exe PING.EXE PID 2928 wrote to memory of 3176 2928 cmd.exe PING.EXE PID 2928 wrote to memory of 3176 2928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe"C:\Users\Admin\AppData\Local\Temp\154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\154cbfe8d94eeca39eeaaf94de6fdf0a7f5af1d77aa2df3cfcef6e0b8b5f4a57.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3176
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1100
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4000
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c9635849dd794a517b953f5c6a3a1bf8
SHA1a9b0996cd742173904ffad87aca940e2311eb66e
SHA256597f1d93a23b03b57d916269b00f7907a0640913fd6485ad7c40d7dfe35cecfe
SHA512933c2d7562659d2e62725ab6e62c8cba56b7d4914d4b4e300385a68054c2d91afd4460aa885d48d69e99540d181910fa967ad54b788b6562cf3edcb8cef54b3d
-
MD5
c9635849dd794a517b953f5c6a3a1bf8
SHA1a9b0996cd742173904ffad87aca940e2311eb66e
SHA256597f1d93a23b03b57d916269b00f7907a0640913fd6485ad7c40d7dfe35cecfe
SHA512933c2d7562659d2e62725ab6e62c8cba56b7d4914d4b4e300385a68054c2d91afd4460aa885d48d69e99540d181910fa967ad54b788b6562cf3edcb8cef54b3d