Analysis
-
max time kernel
178s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 08:05
Static task
static1
Behavioral task
behavioral1
Sample
0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe
Resource
win10v2004-en-20220112
General
-
Target
0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe
-
Size
35KB
-
MD5
7f1fd2138daf8b177aea11358627db0c
-
SHA1
c5cdf9db175a11a839da2c472d21bd6ca57aea43
-
SHA256
0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4
-
SHA512
dea9f6d11392dfb0b14a2bdb7f46e93d05f33dd8dbf97d6d2b40e29ccc15eb942f89cb5b675a3e604242f7aa556ca68dbbcefeaee5d2d373c984e08fdee78f04
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2216 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893033355906857" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4316" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3992" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.614426" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4088" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.999878" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exedescription pid process Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeIncBasePriorityPrivilege 3868 0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.execmd.exedescription pid process target process PID 3868 wrote to memory of 2216 3868 0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe MediaCenter.exe PID 3868 wrote to memory of 2216 3868 0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe MediaCenter.exe PID 3868 wrote to memory of 2216 3868 0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe MediaCenter.exe PID 3868 wrote to memory of 3604 3868 0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe cmd.exe PID 3868 wrote to memory of 3604 3868 0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe cmd.exe PID 3868 wrote to memory of 3604 3868 0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe cmd.exe PID 3604 wrote to memory of 2588 3604 cmd.exe PING.EXE PID 3604 wrote to memory of 2588 3604 cmd.exe PING.EXE PID 3604 wrote to memory of 2588 3604 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe"C:\Users\Admin\AppData\Local\Temp\0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bbbe1efe098217272247250c83f5ec8d3c0b0dfb58a64f0e05f27e38bd966c4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2588
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 01⤵
- Checks processor information in registry
PID:1012
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3064
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2324
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fbff81b1304adebd95d895b06c459c45
SHA1d618bcfc6d000c19e24321ac7e5c8d9151a35437
SHA256746ec12d5022911a8f91267baf4017576afbfcb0af925afa1ea074f5dc905a10
SHA5121b5d0660c24f00bf3ed1aa92b20e9e53e4b44902e59c940ccd1ff0e65651a4440fcb280be0731d929e36813536f20816a8f25b35564ccbb24bbe98bf5c331868
-
MD5
fbff81b1304adebd95d895b06c459c45
SHA1d618bcfc6d000c19e24321ac7e5c8d9151a35437
SHA256746ec12d5022911a8f91267baf4017576afbfcb0af925afa1ea074f5dc905a10
SHA5121b5d0660c24f00bf3ed1aa92b20e9e53e4b44902e59c940ccd1ff0e65651a4440fcb280be0731d929e36813536f20816a8f25b35564ccbb24bbe98bf5c331868