Analysis
-
max time kernel
152s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:07
Static task
static1
Behavioral task
behavioral1
Sample
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe
Resource
win10v2004-en-20220112
General
-
Target
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe
-
Size
60KB
-
MD5
c24eeeb38d5c279b011cf4e475be7c63
-
SHA1
3ceedd2ce52df26ef7ce069e46d257e61f45b0c8
-
SHA256
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118
-
SHA512
80a46172f5ab3ab3b9c44023ec003f56e169e2d7a8a05261f522e80a8008e6e6395cde9789725df9b05efdb724d83c48b4ddb02ff61aa08ad32b9eab2a101b95
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2208 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.470502" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.786518" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892889573471171" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4232" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4128" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1556 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.execmd.exedescription pid process target process PID 1556 wrote to memory of 2208 1556 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe MediaCenter.exe PID 1556 wrote to memory of 2208 1556 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe MediaCenter.exe PID 1556 wrote to memory of 2208 1556 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe MediaCenter.exe PID 1556 wrote to memory of 3656 1556 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe cmd.exe PID 1556 wrote to memory of 3656 1556 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe cmd.exe PID 1556 wrote to memory of 3656 1556 15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe cmd.exe PID 3656 wrote to memory of 4072 3656 cmd.exe PING.EXE PID 3656 wrote to memory of 4072 3656 cmd.exe PING.EXE PID 3656 wrote to memory of 4072 3656 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe"C:\Users\Admin\AppData\Local\Temp\15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15ffba13bfa69def699d25c7ec4b44b0675f148d30b2ffdfb688bdf341c5b118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4072
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3880
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2168
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
20df6dc6bf3e3c43abf3386a771069b6
SHA1c8ead668c3a2c8b8978aa26db77bdc386b4ffde9
SHA256f65bb5671d0a8143880062a66d78de744857c87cf30d0fabb69d1e91e1e9a143
SHA512fb89fe045ecba4620e5f29612eb73855d467f106d64da6b2a9218678a351a5c8c1e8fabd9cae04e718d1078b26be7fd188cdbfea6163da4b9f4a40b4ba53685a
-
MD5
20df6dc6bf3e3c43abf3386a771069b6
SHA1c8ead668c3a2c8b8978aa26db77bdc386b4ffde9
SHA256f65bb5671d0a8143880062a66d78de744857c87cf30d0fabb69d1e91e1e9a143
SHA512fb89fe045ecba4620e5f29612eb73855d467f106d64da6b2a9218678a351a5c8c1e8fabd9cae04e718d1078b26be7fd188cdbfea6163da4b9f4a40b4ba53685a