Analysis
-
max time kernel
165s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 09:45
Static task
static1
Behavioral task
behavioral1
Sample
0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe
Resource
win10v2004-en-20220112
General
-
Target
0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe
-
Size
36KB
-
MD5
af88161d1d37b5d04c5ccab07cae0351
-
SHA1
1f799696b7bfc7227332b76d06dcdd56b89d5884
-
SHA256
0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a
-
SHA512
7b8f42abdab26a9a61ee8eaef57789dedbe22134add955c4a69a0478b721a598c22d9d9ed209a62e91b0a161405c5175be441fa50e9e3229e7ca94019a574b6c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3536 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4336" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.050556" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.040916" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.896579" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4128" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893096120836793" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exedescription pid process Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeIncBasePriorityPrivilege 3776 0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.execmd.exedescription pid process target process PID 3776 wrote to memory of 3536 3776 0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe MediaCenter.exe PID 3776 wrote to memory of 3536 3776 0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe MediaCenter.exe PID 3776 wrote to memory of 3536 3776 0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe MediaCenter.exe PID 3776 wrote to memory of 2824 3776 0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe cmd.exe PID 3776 wrote to memory of 2824 3776 0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe cmd.exe PID 3776 wrote to memory of 2824 3776 0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe cmd.exe PID 2824 wrote to memory of 2996 2824 cmd.exe PING.EXE PID 2824 wrote to memory of 2996 2824 cmd.exe PING.EXE PID 2824 wrote to memory of 2996 2824 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe"C:\Users\Admin\AppData\Local\Temp\0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0920f3a73c20e84b0ec9c772b6d6a59b3081fad0ed0835b107597dc69f212f4a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1868
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8936a29c10d76723b73677a54697733c
SHA13fbb458c631867d9ec05f3b845e4f42ebff5a75c
SHA256172d26ec0da577ee66d67fd11130f6955edf9190f33062cadf9dda3b966d9c99
SHA512c9bbb2ba6c309a76c15fae7c9cbc5c958ce788ee03e3fcb180931071fabc35ec0d848b821fb413ce66e0a9b636563b8abf1ffe540d3c6e208d80621aed7f639a
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8936a29c10d76723b73677a54697733c
SHA13fbb458c631867d9ec05f3b845e4f42ebff5a75c
SHA256172d26ec0da577ee66d67fd11130f6955edf9190f33062cadf9dda3b966d9c99
SHA512c9bbb2ba6c309a76c15fae7c9cbc5c958ce788ee03e3fcb180931071fabc35ec0d848b821fb413ce66e0a9b636563b8abf1ffe540d3c6e208d80621aed7f639a