Analysis
-
max time kernel
179s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 08:08
Static task
static1
Behavioral task
behavioral1
Sample
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe
Resource
win10v2004-en-20220112
General
-
Target
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe
-
Size
36KB
-
MD5
2706a0b0f974d72c6f3a0aef8ab2fe81
-
SHA1
396962f00f0e18b2a409e29f137cf05761ef4bea
-
SHA256
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f
-
SHA512
6a9f393e46bf3db237ead1cc4daeaffd5b1d21d3fcccaa9a4dfb6c670cf10c5f84b15d29e95334656cabc933585197e9f53020924ee4195d696bb648f081de28
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2128 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893035812231030" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.030535" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.262036" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4332" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3424 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe Token: SeBackupPrivilege 2300 TiWorker.exe Token: SeRestorePrivilege 2300 TiWorker.exe Token: SeSecurityPrivilege 2300 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.execmd.exedescription pid process target process PID 3424 wrote to memory of 2128 3424 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe MediaCenter.exe PID 3424 wrote to memory of 2128 3424 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe MediaCenter.exe PID 3424 wrote to memory of 2128 3424 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe MediaCenter.exe PID 3424 wrote to memory of 3540 3424 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe cmd.exe PID 3424 wrote to memory of 3540 3424 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe cmd.exe PID 3424 wrote to memory of 3540 3424 0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe cmd.exe PID 3540 wrote to memory of 2224 3540 cmd.exe PING.EXE PID 3540 wrote to memory of 2224 3540 cmd.exe PING.EXE PID 3540 wrote to memory of 2224 3540 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe"C:\Users\Admin\AppData\Local\Temp\0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b9c0c3610f96266569a427c509e0c80bf9196e79083b72464e35491705fe95f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2224
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 01⤵
- Checks processor information in registry
PID:2116
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1664
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2300
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
431922fe82993f5efd98007392235bee
SHA14408026a07f0b69397332ac09ff2d6931cb2940d
SHA256cb33a12b306b0bf6387b060ce20cb6a4e3142c1cee2d97341250d28c31c749cb
SHA512fd1454cdbdf3d8dfb1e29053642626318492323c3fe84260956b45724d5da07f82ce38a04531cb865361219882a6c66c87e2809d8ed96529ceeece374cf7febe
-
MD5
431922fe82993f5efd98007392235bee
SHA14408026a07f0b69397332ac09ff2d6931cb2940d
SHA256cb33a12b306b0bf6387b060ce20cb6a4e3142c1cee2d97341250d28c31c749cb
SHA512fd1454cdbdf3d8dfb1e29053642626318492323c3fe84260956b45724d5da07f82ce38a04531cb865361219882a6c66c87e2809d8ed96529ceeece374cf7febe