Analysis
-
max time kernel
163s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 06:36
Static task
static1
Behavioral task
behavioral1
Sample
0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe
Resource
win10v2004-en-20220112
General
-
Target
0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe
-
Size
60KB
-
MD5
cf400261b0c06046962406ca8afb31fb
-
SHA1
a09f152452be561bb5a6a67c361f2df9536ebfc0
-
SHA256
0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a
-
SHA512
562368fbcbfd3db9d378ba8f9b6ab58d65ae86d4811277561c4293c846b40750dd98dc0ae8ddb2014a48d5ed4804f875617bce982f79ed62011d8a2cee16622d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3836 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "21.417195" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892979517197267" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.039989" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.421840" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4036" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4252" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1328 0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe Token: SeBackupPrivilege 1572 TiWorker.exe Token: SeRestorePrivilege 1572 TiWorker.exe Token: SeSecurityPrivilege 1572 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.execmd.exedescription pid process target process PID 1328 wrote to memory of 3836 1328 0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe MediaCenter.exe PID 1328 wrote to memory of 3836 1328 0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe MediaCenter.exe PID 1328 wrote to memory of 3836 1328 0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe MediaCenter.exe PID 1328 wrote to memory of 1236 1328 0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe cmd.exe PID 1328 wrote to memory of 1236 1328 0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe cmd.exe PID 1328 wrote to memory of 1236 1328 0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe cmd.exe PID 1236 wrote to memory of 3200 1236 cmd.exe PING.EXE PID 1236 wrote to memory of 3200 1236 cmd.exe PING.EXE PID 1236 wrote to memory of 3200 1236 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe"C:\Users\Admin\AppData\Local\Temp\0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f8c0c5dc0f88bf86232e91c1d0bcb2860e81b81cf5e1e1c3aec151a73be2e5a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3200
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2196
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1572
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1a0d7c482657c09d3b6d37754a182ecd
SHA17d3021c6bfd276785ea0ef5056c890295403f0d6
SHA256f869d32b6e9e51fe441170884b0d13ae38b79e9995ef38428711d89c346f6cc7
SHA512eae6d107f9737c8925fc00e3ac0c4e4afb88c41a68ed9778c636dba68afd81e4f53e4927709efb22bc85a6265dd84643e3f3011c4a056681cd7fac349539e1ee
-
MD5
1a0d7c482657c09d3b6d37754a182ecd
SHA17d3021c6bfd276785ea0ef5056c890295403f0d6
SHA256f869d32b6e9e51fe441170884b0d13ae38b79e9995ef38428711d89c346f6cc7
SHA512eae6d107f9737c8925fc00e3ac0c4e4afb88c41a68ed9778c636dba68afd81e4f53e4927709efb22bc85a6265dd84643e3f3011c4a056681cd7fac349539e1ee