Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:14
Static task
static1
Behavioral task
behavioral1
Sample
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe
Resource
win10v2004-en-20220112
General
-
Target
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe
-
Size
60KB
-
MD5
7c53376faeaa9f2b0e1ff98b5d6867e2
-
SHA1
dc7749eebbcd5943913436d5cab1d1afffae23ce
-
SHA256
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb
-
SHA512
0a94f36e7a9df284eea67aa897e4944b682ad4e162a85ba36d4e6811f2c610398c6af63f1b4b8a97e24dcba7d1abcb2d867697404d91ee3de0c6bd7a9dc74ff2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3288 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 48 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.960865" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4324" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893121239766555" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4172" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4032 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.execmd.exedescription pid process target process PID 4032 wrote to memory of 3288 4032 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe MediaCenter.exe PID 4032 wrote to memory of 3288 4032 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe MediaCenter.exe PID 4032 wrote to memory of 3288 4032 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe MediaCenter.exe PID 4032 wrote to memory of 1900 4032 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe cmd.exe PID 4032 wrote to memory of 1900 4032 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe cmd.exe PID 4032 wrote to memory of 1900 4032 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe cmd.exe PID 1900 wrote to memory of 1036 1900 cmd.exe PING.EXE PID 1900 wrote to memory of 1036 1900 cmd.exe PING.EXE PID 1900 wrote to memory of 1036 1900 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe"C:\Users\Admin\AppData\Local\Temp\07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1036
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3576
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3100
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3a974ede8f3ead954f4431c3f2baf9a8
SHA13d0b5563ab9e306a35bf3c3a11179e6ad00fa8a5
SHA256db41c929705b635285fa1c6aa7a685f70d8343e404e65698c748d296a2747677
SHA51216658b1d7ed5ff5768438fb4aec826afd9f1866b7de31c2676a0202812e6cb65e7ca692cfb07995b425fcb79e2e61b7a12fa86a265bc51bbcae3a7e1b350cd28
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3a974ede8f3ead954f4431c3f2baf9a8
SHA13d0b5563ab9e306a35bf3c3a11179e6ad00fa8a5
SHA256db41c929705b635285fa1c6aa7a685f70d8343e404e65698c748d296a2747677
SHA51216658b1d7ed5ff5768438fb4aec826afd9f1866b7de31c2676a0202812e6cb65e7ca692cfb07995b425fcb79e2e61b7a12fa86a265bc51bbcae3a7e1b350cd28