Analysis
-
max time kernel
163s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:17
Static task
static1
Behavioral task
behavioral1
Sample
1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe
Resource
win10v2004-en-20220112
General
-
Target
1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe
-
Size
60KB
-
MD5
21647921c9d30dcdc96c4d81dd6b49cb
-
SHA1
de052a18f528b75f33f4ccf804302cf616c2bc0d
-
SHA256
1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06
-
SHA512
a128fed5d634daec1f74f07cf40ed7175c93f993bb5c209b8006f58197df861b7302eba415ed7eaf39f662f34bb743e274c2db586f19aba1d64980f3aeb2a0d8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2720 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exeMusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4312" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892896528496103" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.648402" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4104" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4120" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.197628" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.025075" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3776 1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.execmd.exedescription pid process target process PID 3776 wrote to memory of 2720 3776 1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe MediaCenter.exe PID 3776 wrote to memory of 2720 3776 1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe MediaCenter.exe PID 3776 wrote to memory of 2720 3776 1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe MediaCenter.exe PID 3776 wrote to memory of 4128 3776 1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe cmd.exe PID 3776 wrote to memory of 4128 3776 1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe cmd.exe PID 3776 wrote to memory of 4128 3776 1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe cmd.exe PID 4128 wrote to memory of 4184 4128 cmd.exe PING.EXE PID 4128 wrote to memory of 4184 4128 cmd.exe PING.EXE PID 4128 wrote to memory of 4184 4128 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe"C:\Users\Admin\AppData\Local\Temp\1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1591561d3896de7a821fdc18715334d6bbdfaaffb53e9bcd141484cbf9f25b06.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4184
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4216
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:4240
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4464
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f61f3fc16e4d83e26e0dd650febd9564
SHA1b7e79ec1b210e972c587b930381879cf543ab40f
SHA256985df66a1cf0ce04e755f07e4a2fda56a78e03216a545b43d85dd9a94cfd34eb
SHA512eb5ecd643cbb792a72c078e1c6f2f1decafcfac4a2ad949fc3aebd0f53eb6ad7b84d76dd2fe3c72bc59767ab24caa8a2f036916e3732db387312df4034c5b468
-
MD5
f61f3fc16e4d83e26e0dd650febd9564
SHA1b7e79ec1b210e972c587b930381879cf543ab40f
SHA256985df66a1cf0ce04e755f07e4a2fda56a78e03216a545b43d85dd9a94cfd34eb
SHA512eb5ecd643cbb792a72c078e1c6f2f1decafcfac4a2ad949fc3aebd0f53eb6ad7b84d76dd2fe3c72bc59767ab24caa8a2f036916e3732db387312df4034c5b468