Analysis
-
max time kernel
163s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 09:22
Static task
static1
Behavioral task
behavioral1
Sample
0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe
Resource
win10v2004-en-20220112
General
-
Target
0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe
-
Size
35KB
-
MD5
38adc97e5679cfe0cee877853b9db756
-
SHA1
170b1c65028b62a6b34f8be2bec6d61dd9cb0580
-
SHA256
0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd
-
SHA512
71be28083d7c7473caccbba8c4b628ef35c2039e6898d76fde9679ac869ca84d2b420411fb0a6b99e9123bc9cf55d1133fbda3fdeef1aa1f52ce1416bbea6317
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1660 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893078085288285" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "9.090512" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006587" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.268314" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4164" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4420" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exedescription pid process Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeIncBasePriorityPrivilege 1576 0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.execmd.exedescription pid process target process PID 1576 wrote to memory of 1660 1576 0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe MediaCenter.exe PID 1576 wrote to memory of 1660 1576 0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe MediaCenter.exe PID 1576 wrote to memory of 1660 1576 0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe MediaCenter.exe PID 1576 wrote to memory of 4084 1576 0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe cmd.exe PID 1576 wrote to memory of 4084 1576 0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe cmd.exe PID 1576 wrote to memory of 4084 1576 0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe cmd.exe PID 4084 wrote to memory of 3860 4084 cmd.exe PING.EXE PID 4084 wrote to memory of 3860 4084 cmd.exe PING.EXE PID 4084 wrote to memory of 3860 4084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe"C:\Users\Admin\AppData\Local\Temp\0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a43a158bccd20a4664fdadd93b4f227de7b416477edf4f14172515205f61bbd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3860
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2700
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2ff75a2697b1815a29610be77cf57c84
SHA114cea20d6709bd52c80619fd0cffeabbb4ddf80f
SHA2563bb555b8c2f7b7b4ab87d017a60ff7a18d276692c3dd35abc551b1874bc40d3d
SHA512b57d81e52e26153ced58e64ea00534047ed231461fd26319cbc3f2a6af7b7049f80e8098d705de49f97039dd6e4a5fbc76872283dfe3ac11c39a63aa91360107
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2ff75a2697b1815a29610be77cf57c84
SHA114cea20d6709bd52c80619fd0cffeabbb4ddf80f
SHA2563bb555b8c2f7b7b4ab87d017a60ff7a18d276692c3dd35abc551b1874bc40d3d
SHA512b57d81e52e26153ced58e64ea00534047ed231461fd26319cbc3f2a6af7b7049f80e8098d705de49f97039dd6e4a5fbc76872283dfe3ac11c39a63aa91360107