Analysis
-
max time kernel
166s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 06:19
Static task
static1
Behavioral task
behavioral1
Sample
1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe
Resource
win10v2004-en-20220112
General
-
Target
1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe
-
Size
60KB
-
MD5
04f5f791aa6a7c7d14ed92f4a08fc6b9
-
SHA1
daeb8bf97356afa1760000e6f2700a9c20d1985e
-
SHA256
1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7
-
SHA512
cd6ffbf18cc011c5064ec9e0c023b986b8687e8d7996a6cb1ae6c8786d086e184119d51b995f51e4b534feec0cdb1ed9d2211c6b4412242053da0c5c904a5fa1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3660 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4288" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892969344343248" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.851786" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.929520" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1712 1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe Token: SeSecurityPrivilege 996 TiWorker.exe Token: SeRestorePrivilege 996 TiWorker.exe Token: SeBackupPrivilege 996 TiWorker.exe Token: SeBackupPrivilege 996 TiWorker.exe Token: SeRestorePrivilege 996 TiWorker.exe Token: SeSecurityPrivilege 996 TiWorker.exe Token: SeBackupPrivilege 996 TiWorker.exe Token: SeRestorePrivilege 996 TiWorker.exe Token: SeSecurityPrivilege 996 TiWorker.exe Token: SeBackupPrivilege 996 TiWorker.exe Token: SeRestorePrivilege 996 TiWorker.exe Token: SeSecurityPrivilege 996 TiWorker.exe Token: SeBackupPrivilege 996 TiWorker.exe Token: SeRestorePrivilege 996 TiWorker.exe Token: SeSecurityPrivilege 996 TiWorker.exe Token: SeBackupPrivilege 996 TiWorker.exe Token: SeRestorePrivilege 996 TiWorker.exe Token: SeSecurityPrivilege 996 TiWorker.exe Token: SeBackupPrivilege 996 TiWorker.exe Token: SeRestorePrivilege 996 TiWorker.exe Token: SeSecurityPrivilege 996 TiWorker.exe Token: SeBackupPrivilege 996 TiWorker.exe Token: SeRestorePrivilege 996 TiWorker.exe Token: SeSecurityPrivilege 996 TiWorker.exe Token: SeBackupPrivilege 996 TiWorker.exe Token: SeRestorePrivilege 996 TiWorker.exe Token: SeSecurityPrivilege 996 TiWorker.exe Token: SeBackupPrivilege 996 TiWorker.exe Token: SeRestorePrivilege 996 TiWorker.exe Token: SeSecurityPrivilege 996 TiWorker.exe Token: SeBackupPrivilege 996 TiWorker.exe Token: SeRestorePrivilege 996 TiWorker.exe Token: SeSecurityPrivilege 996 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.execmd.exedescription pid process target process PID 1712 wrote to memory of 3660 1712 1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe MediaCenter.exe PID 1712 wrote to memory of 3660 1712 1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe MediaCenter.exe PID 1712 wrote to memory of 3660 1712 1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe MediaCenter.exe PID 1712 wrote to memory of 1872 1712 1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe cmd.exe PID 1712 wrote to memory of 1872 1712 1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe cmd.exe PID 1712 wrote to memory of 1872 1712 1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe cmd.exe PID 1872 wrote to memory of 2956 1872 cmd.exe PING.EXE PID 1872 wrote to memory of 2956 1872 cmd.exe PING.EXE PID 1872 wrote to memory of 2956 1872 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe"C:\Users\Admin\AppData\Local\Temp\1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1048a0974f87b6801905be2b25b700345c0b2f3c14c47762ea64a66506a9f6e7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2956
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:632
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1688
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f87cf7af637812147d5a97ce60e52f2f
SHA180eba08f46a5777e599cf13a7159125df4c798b9
SHA2562781e9d40414fd32be77bcef0b8e7027f1b3bca830feb8231cdc888b223a2a71
SHA5122f504b6ffdbc40532c0133aa741a9c3e4e1476a436606b9705c9999110242faca658b98aa902be22fe597a19161b57088ff9b0394a014b4292dd2ad6840d39d3
-
MD5
f87cf7af637812147d5a97ce60e52f2f
SHA180eba08f46a5777e599cf13a7159125df4c798b9
SHA2562781e9d40414fd32be77bcef0b8e7027f1b3bca830feb8231cdc888b223a2a71
SHA5122f504b6ffdbc40532c0133aa741a9c3e4e1476a436606b9705c9999110242faca658b98aa902be22fe597a19161b57088ff9b0394a014b4292dd2ad6840d39d3