Analysis
-
max time kernel
162s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:44
Static task
static1
Behavioral task
behavioral1
Sample
14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe
Resource
win10v2004-en-20220112
General
-
Target
14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe
-
Size
58KB
-
MD5
dea0ae6cf9c426301b9b927c22f60c7d
-
SHA1
e589c3d0383223b9e8f429f0f93d4885dcab073f
-
SHA256
14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9
-
SHA512
1a607217fadb464560edac6e4a25c71753e2ffadacd6b3a68c77baa4a0519111e119cdae71c673c8166bb5a0ec72d3439d918fdf1ca7497b84853b46209d3c2b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3164 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892912245088841" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.094703" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4180" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.601002" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4084" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2472 14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe Token: SeBackupPrivilege 1716 TiWorker.exe Token: SeRestorePrivilege 1716 TiWorker.exe Token: SeSecurityPrivilege 1716 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.execmd.exedescription pid process target process PID 2472 wrote to memory of 3164 2472 14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe MediaCenter.exe PID 2472 wrote to memory of 3164 2472 14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe MediaCenter.exe PID 2472 wrote to memory of 3164 2472 14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe MediaCenter.exe PID 2472 wrote to memory of 2020 2472 14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe cmd.exe PID 2472 wrote to memory of 2020 2472 14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe cmd.exe PID 2472 wrote to memory of 2020 2472 14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe cmd.exe PID 2020 wrote to memory of 1868 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1868 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1868 2020 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe"C:\Users\Admin\AppData\Local\Temp\14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14a22147f785b02355dcbae21f3f39f0fd787c584ea2083398f1dd7b80e322e9.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1868
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2500
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1004
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c135824870b47ca7de1bd8fe2e467f61
SHA1f303feb44de895293618f39885f45386e9964d4b
SHA256ea25f3c749fad9e1f263f47d98cab7adf9ebe0df1381718507c0314751f95f39
SHA5122af3cdc7713593cb16a6ba52ba8b8c8e6fa4796468e26930b58ccfdeef7bc8e02c413034fc3b3d756e93a4122e6b9fd39ecff84e348e93076720a89751fcbfbb
-
MD5
c135824870b47ca7de1bd8fe2e467f61
SHA1f303feb44de895293618f39885f45386e9964d4b
SHA256ea25f3c749fad9e1f263f47d98cab7adf9ebe0df1381718507c0314751f95f39
SHA5122af3cdc7713593cb16a6ba52ba8b8c8e6fa4796468e26930b58ccfdeef7bc8e02c413034fc3b3d756e93a4122e6b9fd39ecff84e348e93076720a89751fcbfbb