Analysis
-
max time kernel
160s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 07:44
Static task
static1
Behavioral task
behavioral1
Sample
0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe
Resource
win10v2004-en-20220112
General
-
Target
0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe
-
Size
36KB
-
MD5
7272859ae1cfabbbb9562035c8c1da4b
-
SHA1
7216190cadeecb314aabb1be05424c2ede8047ce
-
SHA256
0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b
-
SHA512
a95260b378c614edb7f8705ece74aa2d509d78aff04fb9bb665e3064f4adaa70cd61eea7d936363c37b2d31174440642ba1f7a009a893e34436893bb79f7d552
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1248 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4204" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4120" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3884" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.009259" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4212" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893021448194777" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.059242" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.273228" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.357710" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exedescription pid process Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeIncBasePriorityPrivilege 1100 0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.execmd.exedescription pid process target process PID 1100 wrote to memory of 1248 1100 0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe MediaCenter.exe PID 1100 wrote to memory of 1248 1100 0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe MediaCenter.exe PID 1100 wrote to memory of 1248 1100 0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe MediaCenter.exe PID 1100 wrote to memory of 1536 1100 0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe cmd.exe PID 1100 wrote to memory of 1536 1100 0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe cmd.exe PID 1100 wrote to memory of 1536 1100 0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe cmd.exe PID 1536 wrote to memory of 4016 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 4016 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 4016 1536 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe"C:\Users\Admin\AppData\Local\Temp\0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4016
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:540
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3264
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4eb02d284d6a5e6e0b691b10ad4f022f
SHA1ac76eaa8164b337d16f75e9695c39edb756d1d98
SHA256f40b61bec2c5048344bba11e69277cc72086720b6d8b8319bcaddeb8ca9689fe
SHA5127ac0ed5126e0dc222379b15f8b40a37dc9dd1df81058cf5c98d819b018bddbdc1709972a7f0d98ec12b58b62557d2f7643b56602354161d3cf9b847b54829157
-
MD5
4eb02d284d6a5e6e0b691b10ad4f022f
SHA1ac76eaa8164b337d16f75e9695c39edb756d1d98
SHA256f40b61bec2c5048344bba11e69277cc72086720b6d8b8319bcaddeb8ca9689fe
SHA5127ac0ed5126e0dc222379b15f8b40a37dc9dd1df81058cf5c98d819b018bddbdc1709972a7f0d98ec12b58b62557d2f7643b56602354161d3cf9b847b54829157