Analysis
-
max time kernel
153s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 09:12
Static task
static1
Behavioral task
behavioral1
Sample
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe
Resource
win10v2004-en-20220112
General
-
Target
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe
-
Size
58KB
-
MD5
0383b8ff0712767f4c237a78456b8039
-
SHA1
dc56756f60f758947ba35a3fbd2efe1ee839cfb3
-
SHA256
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf
-
SHA512
8f0032bfc88583702b18788ccd91861c6c8ddcde9eaa3bc6caa8c3a8815165105b91c2ed9c624d0c1bd3865f16133a99818fb2b91560012b157ac913a08d8da6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2184 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4308" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893071790645244" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006623" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4020" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.941161" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exedescription pid process Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeIncBasePriorityPrivilege 428 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe Token: SeBackupPrivilege 3924 TiWorker.exe Token: SeRestorePrivilege 3924 TiWorker.exe Token: SeSecurityPrivilege 3924 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.execmd.exedescription pid process target process PID 428 wrote to memory of 2184 428 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe MediaCenter.exe PID 428 wrote to memory of 2184 428 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe MediaCenter.exe PID 428 wrote to memory of 2184 428 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe MediaCenter.exe PID 428 wrote to memory of 2868 428 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe cmd.exe PID 428 wrote to memory of 2868 428 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe cmd.exe PID 428 wrote to memory of 2868 428 0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe cmd.exe PID 2868 wrote to memory of 3640 2868 cmd.exe PING.EXE PID 2868 wrote to memory of 3640 2868 cmd.exe PING.EXE PID 2868 wrote to memory of 3640 2868 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe"C:\Users\Admin\AppData\Local\Temp\0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0abe08f1e3524f9c9e67d5d2f7e358e88b75a645b47204fb2b862d50a179aadf.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3640
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1600
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
014ef780453398f52d570fbb500dafe5
SHA1a11669fb6402d41f9938d318372dceca2f399fcc
SHA256c0a450d3448aed8f8ca9fce80c1a87472bceb267dd25807347af5881b7af19e9
SHA512dea6a747108592392afdddff1b66ea34f0aac0eef834e5ec08e4ab3991b1f2011ab0cfedc8b3b12335e2395c1967b863d89603433a320312b7ff9922680b20fa
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
014ef780453398f52d570fbb500dafe5
SHA1a11669fb6402d41f9938d318372dceca2f399fcc
SHA256c0a450d3448aed8f8ca9fce80c1a87472bceb267dd25807347af5881b7af19e9
SHA512dea6a747108592392afdddff1b66ea34f0aac0eef834e5ec08e4ab3991b1f2011ab0cfedc8b3b12335e2395c1967b863d89603433a320312b7ff9922680b20fa