Analysis
-
max time kernel
158s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:10
Static task
static1
Behavioral task
behavioral1
Sample
07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe
Resource
win10v2004-en-20220112
General
-
Target
07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe
-
Size
35KB
-
MD5
499870fb8fd9c2191959dc57e708835a
-
SHA1
b2d2b0c2e2e879659c24493368bc526b2a533b41
-
SHA256
07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e
-
SHA512
bc5c06be4ce53666f532bc36d220d2a7f4f24f0c7ab212cfb44e75dee0b7413fd52e6c2805c513857dd94e8d761a32eda88477db5bb7800c610b3e51d543b28d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2616 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893115559439276" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4304" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4092" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.262506" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.555569" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "16.666382" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1044 07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe Token: SeSecurityPrivilege 2636 TiWorker.exe Token: SeRestorePrivilege 2636 TiWorker.exe Token: SeBackupPrivilege 2636 TiWorker.exe Token: SeBackupPrivilege 2636 TiWorker.exe Token: SeRestorePrivilege 2636 TiWorker.exe Token: SeSecurityPrivilege 2636 TiWorker.exe Token: SeBackupPrivilege 2636 TiWorker.exe Token: SeRestorePrivilege 2636 TiWorker.exe Token: SeSecurityPrivilege 2636 TiWorker.exe Token: SeBackupPrivilege 2636 TiWorker.exe Token: SeRestorePrivilege 2636 TiWorker.exe Token: SeSecurityPrivilege 2636 TiWorker.exe Token: SeBackupPrivilege 2636 TiWorker.exe Token: SeRestorePrivilege 2636 TiWorker.exe Token: SeSecurityPrivilege 2636 TiWorker.exe Token: SeBackupPrivilege 2636 TiWorker.exe Token: SeRestorePrivilege 2636 TiWorker.exe Token: SeSecurityPrivilege 2636 TiWorker.exe Token: SeBackupPrivilege 2636 TiWorker.exe Token: SeRestorePrivilege 2636 TiWorker.exe Token: SeSecurityPrivilege 2636 TiWorker.exe Token: SeBackupPrivilege 2636 TiWorker.exe Token: SeRestorePrivilege 2636 TiWorker.exe Token: SeSecurityPrivilege 2636 TiWorker.exe Token: SeBackupPrivilege 2636 TiWorker.exe Token: SeRestorePrivilege 2636 TiWorker.exe Token: SeSecurityPrivilege 2636 TiWorker.exe Token: SeBackupPrivilege 2636 TiWorker.exe Token: SeRestorePrivilege 2636 TiWorker.exe Token: SeSecurityPrivilege 2636 TiWorker.exe Token: SeBackupPrivilege 2636 TiWorker.exe Token: SeRestorePrivilege 2636 TiWorker.exe Token: SeSecurityPrivilege 2636 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.execmd.exedescription pid process target process PID 1044 wrote to memory of 2616 1044 07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe MediaCenter.exe PID 1044 wrote to memory of 2616 1044 07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe MediaCenter.exe PID 1044 wrote to memory of 2616 1044 07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe MediaCenter.exe PID 1044 wrote to memory of 2732 1044 07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe cmd.exe PID 1044 wrote to memory of 2732 1044 07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe cmd.exe PID 1044 wrote to memory of 2732 1044 07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe cmd.exe PID 2732 wrote to memory of 3372 2732 cmd.exe PING.EXE PID 2732 wrote to memory of 3372 2732 cmd.exe PING.EXE PID 2732 wrote to memory of 3372 2732 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe"C:\Users\Admin\AppData\Local\Temp\07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07ebc2c61476e4203af3a943fbbad5ecaa45ba7650f420b5d92c97486654de6e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3372
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1136
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cb1d289992752a234d8cfa6e8ce5038f
SHA1d5701a4dda3f0f4d04b07e5eff5acdcf8988db8d
SHA25608d98d8b5fdf6a18bde016d94e4d7e3ff309eb6ed929eebd161804bfa33534db
SHA512744c6e6935edd155c81946779b6d6a779f8d4581ea1909dc03362cbfbc717eb2a912432f0c2340062a9100cd68e91480cd464b5539f7678905f18c934decefcb
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cb1d289992752a234d8cfa6e8ce5038f
SHA1d5701a4dda3f0f4d04b07e5eff5acdcf8988db8d
SHA25608d98d8b5fdf6a18bde016d94e4d7e3ff309eb6ed929eebd161804bfa33534db
SHA512744c6e6935edd155c81946779b6d6a779f8d4581ea1909dc03362cbfbc717eb2a912432f0c2340062a9100cd68e91480cd464b5539f7678905f18c934decefcb