Analysis
-
max time kernel
176s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:52
Static task
static1
Behavioral task
behavioral1
Sample
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe
Resource
win10v2004-en-20220112
General
-
Target
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe
-
Size
60KB
-
MD5
9334bf311d2af849e84994cf85e78d8e
-
SHA1
f4868bccb8fbda4299da06a40bb55a2d904df00b
-
SHA256
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081
-
SHA512
cf03ff7817970e5d306ca786c214b16c327b6fb36f268340a01b6555bcaeaf34fc263ab1bd5d2d0af1da106f347357b19f9ebff60310f9fe4149029eee2f978c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1860 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4124" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892916234465726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.433212" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.030935" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3884" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4188" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exedescription pid process Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeIncBasePriorityPrivilege 2072 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe Token: SeBackupPrivilege 1620 TiWorker.exe Token: SeRestorePrivilege 1620 TiWorker.exe Token: SeSecurityPrivilege 1620 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.execmd.exedescription pid process target process PID 2072 wrote to memory of 1860 2072 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe MediaCenter.exe PID 2072 wrote to memory of 1860 2072 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe MediaCenter.exe PID 2072 wrote to memory of 1860 2072 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe MediaCenter.exe PID 2072 wrote to memory of 2776 2072 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe cmd.exe PID 2072 wrote to memory of 2776 2072 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe cmd.exe PID 2072 wrote to memory of 2776 2072 142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe cmd.exe PID 2776 wrote to memory of 1964 2776 cmd.exe PING.EXE PID 2776 wrote to memory of 1964 2776 cmd.exe PING.EXE PID 2776 wrote to memory of 1964 2776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe"C:\Users\Admin\AppData\Local\Temp\142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\142e1092dddc61fd30b7be6873e87498f00bf4a50696dd395df2da6212d19081.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1964
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3020
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2844
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b78723a9a9d83747b4fa1af836f6c525
SHA108852d4ad8e13484c6040868fd851cb1defbeb20
SHA2561a87de0915fdaaf62babead8c416e29ae9ca5261e504697da81deae01d81485f
SHA5121f65a1b8277656bd67ab1824424a2d7fe0b243f24f2ed6a90951bd84138f4573c6bc187023f445555ffeddd836ca369a7cb23d0ab14fdf2a6beb093c9f19dc25
-
MD5
b78723a9a9d83747b4fa1af836f6c525
SHA108852d4ad8e13484c6040868fd851cb1defbeb20
SHA2561a87de0915fdaaf62babead8c416e29ae9ca5261e504697da81deae01d81485f
SHA5121f65a1b8277656bd67ab1824424a2d7fe0b243f24f2ed6a90951bd84138f4573c6bc187023f445555ffeddd836ca369a7cb23d0ab14fdf2a6beb093c9f19dc25