Analysis
-
max time kernel
161s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:08
Static task
static1
Behavioral task
behavioral1
Sample
15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe
Resource
win10v2004-en-20220112
General
-
Target
15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe
-
Size
58KB
-
MD5
9e7d727460945722d055d94f7a426abf
-
SHA1
f44ca5dac56342f79bb9e0e1e35c3b6fd2862ed4
-
SHA256
15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7
-
SHA512
cfe0ffe0c0950c3141c624a5a27a087caa1777b592bcd4561407536007217060288013d6d3038003d70e49931a065ba3f7fc63574513c80455adcaf4127555c7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3032 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4152" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892889977134834" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.131579" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4344" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.322811" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1328 15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.execmd.exedescription pid process target process PID 1328 wrote to memory of 3032 1328 15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe MediaCenter.exe PID 1328 wrote to memory of 3032 1328 15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe MediaCenter.exe PID 1328 wrote to memory of 3032 1328 15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe MediaCenter.exe PID 1328 wrote to memory of 3536 1328 15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe cmd.exe PID 1328 wrote to memory of 3536 1328 15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe cmd.exe PID 1328 wrote to memory of 3536 1328 15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe cmd.exe PID 3536 wrote to memory of 2884 3536 cmd.exe PING.EXE PID 3536 wrote to memory of 2884 3536 cmd.exe PING.EXE PID 3536 wrote to memory of 2884 3536 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe"C:\Users\Admin\AppData\Local\Temp\15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15f259b8d2b170ff6e8e0a4d659e12ba23159577bef6683672c47f06cafb69c7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2884
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1504
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1860
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3216
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
81339ec9d65c14ca164f85d0276a846b
SHA15dc407a81b5261fd098d90dbd38f6297554b16d7
SHA2567636815209a255cbfc92cf9d920694759a791bd2401f7bb948038d29acb33f52
SHA512c28609cead882fc7f1aed6a66e6c8078b2876daefdb627443f4dd59f8db70c0c313b261ed0ae47356a0b1e5a71a548d20e3a36e4f1af4bc8bd4d3c3fb4dc4f3b
-
MD5
81339ec9d65c14ca164f85d0276a846b
SHA15dc407a81b5261fd098d90dbd38f6297554b16d7
SHA2567636815209a255cbfc92cf9d920694759a791bd2401f7bb948038d29acb33f52
SHA512c28609cead882fc7f1aed6a66e6c8078b2876daefdb627443f4dd59f8db70c0c313b261ed0ae47356a0b1e5a71a548d20e3a36e4f1af4bc8bd4d3c3fb4dc4f3b