Analysis
-
max time kernel
155s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 07:17
Static task
static1
Behavioral task
behavioral1
Sample
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe
Resource
win10v2004-en-20220112
General
-
Target
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe
-
Size
58KB
-
MD5
9ba9327d1caebc25bcd9f8d4449a2b60
-
SHA1
88c03435714fd613fdbf0f5ac6bcba645a145c5b
-
SHA256
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6
-
SHA512
f3ba5264f9e2d67236fd5277e46f0270c512e92bc49b4e74933a6ac760b770e917fe89f4746f077e93aa6fafb7840f1dcfc713b90b4d683467ec9c870ab115d2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2972 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4080" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893003817566243" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.024456" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.238783" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 228 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe Token: SeBackupPrivilege 4052 TiWorker.exe Token: SeRestorePrivilege 4052 TiWorker.exe Token: SeSecurityPrivilege 4052 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.execmd.exedescription pid process target process PID 228 wrote to memory of 2972 228 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe MediaCenter.exe PID 228 wrote to memory of 2972 228 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe MediaCenter.exe PID 228 wrote to memory of 2972 228 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe MediaCenter.exe PID 228 wrote to memory of 3548 228 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe cmd.exe PID 228 wrote to memory of 3548 228 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe cmd.exe PID 228 wrote to memory of 3548 228 0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe cmd.exe PID 3548 wrote to memory of 1676 3548 cmd.exe PING.EXE PID 3548 wrote to memory of 1676 3548 cmd.exe PING.EXE PID 3548 wrote to memory of 1676 3548 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe"C:\Users\Admin\AppData\Local\Temp\0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dfcfceecaf882853277f1b91e9f23161801309d049234d970bac18aec4efcc6.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1676
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3076
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3560
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2b430cc144a54e93c8b6ffb9db6994c3
SHA1c1d0a772af5f2bf19c471f50d6f67da2f5fb58e4
SHA256a697ae384ad620d62f40ecb0567046d561e50a40ac39497ed8c6c5a70b92e424
SHA512b02a22ec51d85b809293414e48d1372e784d789d1d6e0af72b199cc9b6f9c9b5949f09a8876563dc8bd801e3e024f180db9bce37a46ec0245d46226f8e1d3720
-
MD5
2b430cc144a54e93c8b6ffb9db6994c3
SHA1c1d0a772af5f2bf19c471f50d6f67da2f5fb58e4
SHA256a697ae384ad620d62f40ecb0567046d561e50a40ac39497ed8c6c5a70b92e424
SHA512b02a22ec51d85b809293414e48d1372e784d789d1d6e0af72b199cc9b6f9c9b5949f09a8876563dc8bd801e3e024f180db9bce37a46ec0245d46226f8e1d3720