Analysis
-
max time kernel
162s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:47
Static task
static1
Behavioral task
behavioral1
Sample
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe
Resource
win10v2004-en-20220112
General
-
Target
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe
-
Size
60KB
-
MD5
d8af75b722f107ff61b90e3b6f760ab9
-
SHA1
2a0d3b5afa6c8286909810df31b73ada346f3ad5
-
SHA256
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636
-
SHA512
fa75eb68743db7b38c16a8b76843cd75eaebeb8a2a03a7f2459e7d6fe3bcac5bd14b3e2bdcacc41dae3053370896fb30ff2529923add85a23d56612faa6cba8e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3512 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.019810" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.877713" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892877214290190" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4164" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4088" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1760 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe Token: SeBackupPrivilege 3360 TiWorker.exe Token: SeRestorePrivilege 3360 TiWorker.exe Token: SeSecurityPrivilege 3360 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.execmd.exedescription pid process target process PID 1760 wrote to memory of 3512 1760 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe MediaCenter.exe PID 1760 wrote to memory of 3512 1760 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe MediaCenter.exe PID 1760 wrote to memory of 3512 1760 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe MediaCenter.exe PID 1760 wrote to memory of 3176 1760 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe cmd.exe PID 1760 wrote to memory of 3176 1760 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe cmd.exe PID 1760 wrote to memory of 3176 1760 16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe cmd.exe PID 3176 wrote to memory of 3016 3176 cmd.exe PING.EXE PID 3176 wrote to memory of 3016 3176 cmd.exe PING.EXE PID 3176 wrote to memory of 3016 3176 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe"C:\Users\Admin\AppData\Local\Temp\16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16cf079cfd81b78fb4fe50979439f4edbc583539bf3e08e0a118c9092eb69636.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3016
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3320
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d2e1aab457d22716eaa50a5bab58e0e0
SHA1b67fd586e85c103a68f0dddb1a640a06f398eb04
SHA25675252fc29abd619e7b07650dea29a3eb7e777d12cdf4dbb4d3796489a838d00b
SHA5123fdd097517e47d9ac94a7aa483453b4afc879a21a95ca15187f016e681147c97767186b9b2da739c30130208a4285c45a09f0525adb7b2cff60d5582af99f419
-
MD5
d2e1aab457d22716eaa50a5bab58e0e0
SHA1b67fd586e85c103a68f0dddb1a640a06f398eb04
SHA25675252fc29abd619e7b07650dea29a3eb7e777d12cdf4dbb4d3796489a838d00b
SHA5123fdd097517e47d9ac94a7aa483453b4afc879a21a95ca15187f016e681147c97767186b9b2da739c30130208a4285c45a09f0525adb7b2cff60d5582af99f419