Analysis
-
max time kernel
160s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 05:27
Static task
static1
Behavioral task
behavioral1
Sample
12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe
Resource
win10v2004-en-20220112
General
-
Target
12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe
-
Size
58KB
-
MD5
68514d6a607c29e2e30a18b2ddb898cf
-
SHA1
1f4402163162fae48967f558328ceb13cd92f5ac
-
SHA256
12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3
-
SHA512
2e99cdfae273eb3e08d56a10e6e8fba8950727d9c5ad2fb84d3832a35d18b75648e39bd659209770774f0867f2b198259057861cdf875a535db2c9c388e2905b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3648 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892937426514536" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.667939" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4312" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.333463" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exedescription pid process Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeIncBasePriorityPrivilege 1668 12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe Token: SeBackupPrivilege 724 TiWorker.exe Token: SeRestorePrivilege 724 TiWorker.exe Token: SeSecurityPrivilege 724 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.execmd.exedescription pid process target process PID 1668 wrote to memory of 3648 1668 12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe MediaCenter.exe PID 1668 wrote to memory of 3648 1668 12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe MediaCenter.exe PID 1668 wrote to memory of 3648 1668 12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe MediaCenter.exe PID 1668 wrote to memory of 1244 1668 12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe cmd.exe PID 1668 wrote to memory of 1244 1668 12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe cmd.exe PID 1668 wrote to memory of 1244 1668 12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe cmd.exe PID 1244 wrote to memory of 376 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 376 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 376 1244 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe"C:\Users\Admin\AppData\Local\Temp\12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12b0190a9052289553de89622ad5d9aba3ee5b4a9844117a98993ec267e772c3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:376
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2468
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3784
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b2b9dbab849e032f1e5d0f3e2ff18616
SHA1dec09e89aab0d09a55fb1481cd2fa3f3f9951581
SHA256b3f43ec328f3faf29ac598fb1aada7c730aae7820591b3bd223b5affd7c515a9
SHA512110c0abe0098e1f3d1dd84dd34c7b7f1d3002fc26a1d49c4d7ced9a7af65d241d68fb3083e8410d2d6283875c2960bfd97aef2d641543983de6aa69cdc0c170e
-
MD5
b2b9dbab849e032f1e5d0f3e2ff18616
SHA1dec09e89aab0d09a55fb1481cd2fa3f3f9951581
SHA256b3f43ec328f3faf29ac598fb1aada7c730aae7820591b3bd223b5affd7c515a9
SHA512110c0abe0098e1f3d1dd84dd34c7b7f1d3002fc26a1d49c4d7ced9a7af65d241d68fb3083e8410d2d6283875c2960bfd97aef2d641543983de6aa69cdc0c170e