Analysis
-
max time kernel
155s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:49
Static task
static1
Behavioral task
behavioral1
Sample
144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe
Resource
win10v2004-en-20220112
General
-
Target
144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe
-
Size
60KB
-
MD5
4dcb3af25939b63e79a07de206cbead7
-
SHA1
73bbbbd8ae95abe99da1eb69cd06fe6442a19c48
-
SHA256
144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2
-
SHA512
bcf0508c78368b8d52bc74f2b391d7e740dcab895304c391d4f1645262a1fc1b7b6173b58ac0a4ccfa8525a62d465bb56ea484796e28d8e7bd71bcad36320e60
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 768 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe -
Drops file in Windows directory 2 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3676" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3740" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3744" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.127551" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2244 144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.execmd.exedescription pid process target process PID 2244 wrote to memory of 768 2244 144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe MediaCenter.exe PID 2244 wrote to memory of 768 2244 144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe MediaCenter.exe PID 2244 wrote to memory of 768 2244 144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe MediaCenter.exe PID 2244 wrote to memory of 1720 2244 144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe cmd.exe PID 2244 wrote to memory of 1720 2244 144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe cmd.exe PID 2244 wrote to memory of 1720 2244 144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe cmd.exe PID 1720 wrote to memory of 4064 1720 cmd.exe PING.EXE PID 1720 wrote to memory of 4064 1720 cmd.exe PING.EXE PID 1720 wrote to memory of 4064 1720 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe"C:\Users\Admin\AppData\Local\Temp\144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\144d2bda13e25394d581d8f19a58d1ad53efcdaf8191c0cd78fc8ce763e899c2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4064
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2900
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
PID:2184
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
42aa4e3f2a0b274bf8be26d3467d4c25
SHA1f8f486443c19614dc21e2b94b6ba3673b928524f
SHA2564a284240a4f88c3abb54e6ad827b955597efcba43692faddabd97285a018cb37
SHA5129bf43a7f7b3ae1917f9c978270fa13351d2c4f7f35ba9c306d3351d4cd6833de3651501d906cf3d24a2367225010bac562b3887c21c167452781da4bc5c9b262
-
MD5
42aa4e3f2a0b274bf8be26d3467d4c25
SHA1f8f486443c19614dc21e2b94b6ba3673b928524f
SHA2564a284240a4f88c3abb54e6ad827b955597efcba43692faddabd97285a018cb37
SHA5129bf43a7f7b3ae1917f9c978270fa13351d2c4f7f35ba9c306d3351d4cd6833de3651501d906cf3d24a2367225010bac562b3887c21c167452781da4bc5c9b262