Analysis
-
max time kernel
178s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 09:35
Static task
static1
Behavioral task
behavioral1
Sample
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe
Resource
win10v2004-en-20220112
General
-
Target
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe
-
Size
35KB
-
MD5
ca050cb980c4e1c3183d1a1e6d35be97
-
SHA1
52de54ab815cd9ffe60459de44f3aa970e8293f8
-
SHA256
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d
-
SHA512
b2430c7e91cafe99e497225b918893357ea9bfb12942f80020cad30e7a522adfd878782fe632553efd39f2c920971366dee646554ef17f58d491e3f9d7ffd84d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3308 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893086425055185" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.696128" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006588" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3984" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "9.374336" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4328" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exedescription pid process Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeIncBasePriorityPrivilege 2976 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe Token: SeBackupPrivilege 1364 TiWorker.exe Token: SeRestorePrivilege 1364 TiWorker.exe Token: SeSecurityPrivilege 1364 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.execmd.exedescription pid process target process PID 2976 wrote to memory of 3308 2976 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe MediaCenter.exe PID 2976 wrote to memory of 3308 2976 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe MediaCenter.exe PID 2976 wrote to memory of 3308 2976 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe MediaCenter.exe PID 2976 wrote to memory of 3152 2976 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe cmd.exe PID 2976 wrote to memory of 3152 2976 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe cmd.exe PID 2976 wrote to memory of 3152 2976 099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe cmd.exe PID 3152 wrote to memory of 2168 3152 cmd.exe PING.EXE PID 3152 wrote to memory of 2168 3152 cmd.exe PING.EXE PID 3152 wrote to memory of 2168 3152 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe"C:\Users\Admin\AppData\Local\Temp\099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\099711ac3e0d80f59fd96d11082a2f27571b6d70ba76de07e9e4f52b44b2637d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2168
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3404
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2764
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
55f65a9371fbdc43a6f098465f6e9e35
SHA128957a506a5f3b7bb4b1a8b5a1a6abacc53ef86f
SHA2564ed1c4563de1c11c7b9f024bf65267e29a04dab97ebcf1beed7fd2cd556708fd
SHA5126b0de2ca2a43056b0fd734674a2ae2e75b6f28b13969ee5068c6c9dc195ab8b04588262da0d08a24a784cc5e856b1552f3622adadbbb2757ce1909b3dcda1e63
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
55f65a9371fbdc43a6f098465f6e9e35
SHA128957a506a5f3b7bb4b1a8b5a1a6abacc53ef86f
SHA2564ed1c4563de1c11c7b9f024bf65267e29a04dab97ebcf1beed7fd2cd556708fd
SHA5126b0de2ca2a43056b0fd734674a2ae2e75b6f28b13969ee5068c6c9dc195ab8b04588262da0d08a24a784cc5e856b1552f3622adadbbb2757ce1909b3dcda1e63