Analysis
-
max time kernel
155s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:53
Static task
static1
Behavioral task
behavioral1
Sample
16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe
Resource
win10v2004-en-20220112
General
-
Target
16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe
-
Size
35KB
-
MD5
d0e114190a0ab295eeb467dcb117ce37
-
SHA1
0ec818023f8afbfee4d0bed7bf7a855fe553475f
-
SHA256
16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31
-
SHA512
aa9a89d93d185393457b30f4b02e62e6e07893a48f928e9d92ffcb507978eab2c2ca2246f8296e4b1c23de4a43a8b5c1aacbca43e8e96e797db0f8f947ed1297
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2396 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892880402974181" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4200" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4052" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4308" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4384" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.347916" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "9.999398" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exedescription pid process Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeIncBasePriorityPrivilege 3900 16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.execmd.exedescription pid process target process PID 3900 wrote to memory of 2396 3900 16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe MediaCenter.exe PID 3900 wrote to memory of 2396 3900 16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe MediaCenter.exe PID 3900 wrote to memory of 2396 3900 16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe MediaCenter.exe PID 3900 wrote to memory of 948 3900 16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe cmd.exe PID 3900 wrote to memory of 948 3900 16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe cmd.exe PID 3900 wrote to memory of 948 3900 16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe cmd.exe PID 948 wrote to memory of 512 948 cmd.exe PING.EXE PID 948 wrote to memory of 512 948 cmd.exe PING.EXE PID 948 wrote to memory of 512 948 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe"C:\Users\Admin\AppData\Local\Temp\16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16974ddab31a3bb406061381042a75dd5ac1d2f6b7cf090f364f3c1994077c31.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:512
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1556
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2148
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a34474b65111e1fc626de15b12ec69fe
SHA1622958a111b128034610e7b9d36c372f47a07614
SHA256672328a4ea66d52657223343d4a0349660477f40118a06759f9bb9ff7c73b1ee
SHA512e2ec531bdeb93d1908b89de183ab8022f7fc1cec9c559335e8cc29ff459b1c950e89a00860e22f4b26759f213eee5bdccc4788ad8f791cdc27dd0a37861f2635
-
MD5
a34474b65111e1fc626de15b12ec69fe
SHA1622958a111b128034610e7b9d36c372f47a07614
SHA256672328a4ea66d52657223343d4a0349660477f40118a06759f9bb9ff7c73b1ee
SHA512e2ec531bdeb93d1908b89de183ab8022f7fc1cec9c559335e8cc29ff459b1c950e89a00860e22f4b26759f213eee5bdccc4788ad8f791cdc27dd0a37861f2635