Analysis
-
max time kernel
152s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:04
Static task
static1
Behavioral task
behavioral1
Sample
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe
Resource
win10v2004-en-20220112
General
-
Target
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe
-
Size
35KB
-
MD5
754df238e8899bf1902e0d46af034c69
-
SHA1
5f3268b478c885d5c3eaa5d2246c9a2e02b1c576
-
SHA256
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e
-
SHA512
6fde867c33edf90c5d1178d19dd8004f2239f81ff49062daeb3816ef72ea0f03e12bcb116390f162b5a693e72c20b5d036c41f36d76b01659b0463ad2ccc5cce
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2880 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892887157643662" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4300" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.614972" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4072" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "11.113577" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exedescription pid process Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeIncBasePriorityPrivilege 3856 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.execmd.exedescription pid process target process PID 3856 wrote to memory of 2880 3856 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe MediaCenter.exe PID 3856 wrote to memory of 2880 3856 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe MediaCenter.exe PID 3856 wrote to memory of 2880 3856 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe MediaCenter.exe PID 3856 wrote to memory of 1856 3856 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe cmd.exe PID 3856 wrote to memory of 1856 3856 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe cmd.exe PID 3856 wrote to memory of 1856 3856 161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe cmd.exe PID 1856 wrote to memory of 3144 1856 cmd.exe PING.EXE PID 1856 wrote to memory of 3144 1856 cmd.exe PING.EXE PID 1856 wrote to memory of 3144 1856 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe"C:\Users\Admin\AppData\Local\Temp\161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\161b1c3a9f35bddf59477806dec48b175c1b9025cb0663d3de40a004bce4787e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3144
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1800
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3864
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5b3c921078f5a812996f644335c8effa
SHA180dd372c9968fa30f8f214fe03715001774257e0
SHA25660838645614de8e5c3b73bbe2ba495e7480f2a5b42076d4a01453c8f88e0a3ad
SHA5129328e7b79344f44f6b1a57a0f7c91ed259ed5012f9d98669ae94765f2671f0de96d0d8699e5088c7ad3e1655e265b8129bff3a4416a305cb5555328654c5d3b7
-
MD5
5b3c921078f5a812996f644335c8effa
SHA180dd372c9968fa30f8f214fe03715001774257e0
SHA25660838645614de8e5c3b73bbe2ba495e7480f2a5b42076d4a01453c8f88e0a3ad
SHA5129328e7b79344f44f6b1a57a0f7c91ed259ed5012f9d98669ae94765f2671f0de96d0d8699e5088c7ad3e1655e265b8129bff3a4416a305cb5555328654c5d3b7