Analysis
-
max time kernel
163s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:12
Static task
static1
Behavioral task
behavioral1
Sample
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe
Resource
win10v2004-en-20220112
General
-
Target
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe
-
Size
36KB
-
MD5
2799d8c94d56a47f357d5994d0267a84
-
SHA1
b41132aff85ebc5c7a3b2f9915deb5d7d216f4f3
-
SHA256
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07
-
SHA512
4e8cd7b9ed6cf96a6ae89c069598c5cc2b2a63df61712c1e60174d2ec7c1f2ba4b62a14875621e8d9d6b0952f2c4b4bd537d931c9e64346dd52462fc36b7d93e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 396 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 53 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4176" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.777478" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4360" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892892988303963" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "24.996560" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "10.714805" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3992 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe Token: SeBackupPrivilege 3968 TiWorker.exe Token: SeRestorePrivilege 3968 TiWorker.exe Token: SeSecurityPrivilege 3968 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.execmd.exedescription pid process target process PID 3992 wrote to memory of 396 3992 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe MediaCenter.exe PID 3992 wrote to memory of 396 3992 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe MediaCenter.exe PID 3992 wrote to memory of 396 3992 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe MediaCenter.exe PID 3992 wrote to memory of 2760 3992 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe cmd.exe PID 3992 wrote to memory of 2760 3992 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe cmd.exe PID 3992 wrote to memory of 2760 3992 15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe cmd.exe PID 2760 wrote to memory of 1596 2760 cmd.exe PING.EXE PID 2760 wrote to memory of 1596 2760 cmd.exe PING.EXE PID 2760 wrote to memory of 1596 2760 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe"C:\Users\Admin\AppData\Local\Temp\15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15cd7a5481499f48ecdd6669b1d91f778a0c122ec9a6abdce347145f060e8c07.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1596
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3964
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ffec2c29711a457edb047e4981b637df
SHA15aa19290d99c60384a5d379e1e8d9507158ff8fa
SHA25600a4cd3eb4581febcad1a499db17005ea0d05446537f2c5e0d74f2b592a6b86e
SHA51267ad3e9463857c74813c829477ba198e33690a581af68e26b0cd7d1dbbcfaa4dc2bc9812dbb926ee63a558fdc1c481f0bc09ed130c5d507aa1b210ead313ba5f
-
MD5
ffec2c29711a457edb047e4981b637df
SHA15aa19290d99c60384a5d379e1e8d9507158ff8fa
SHA25600a4cd3eb4581febcad1a499db17005ea0d05446537f2c5e0d74f2b592a6b86e
SHA51267ad3e9463857c74813c829477ba198e33690a581af68e26b0cd7d1dbbcfaa4dc2bc9812dbb926ee63a558fdc1c481f0bc09ed130c5d507aa1b210ead313ba5f