Analysis
-
max time kernel
167s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 09:44
Static task
static1
Behavioral task
behavioral1
Sample
092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe
Resource
win10v2004-en-20220112
General
-
Target
092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe
-
Size
60KB
-
MD5
5c434a9ff5342b0bec6f41b0ce1e93ba
-
SHA1
61dbdea83099165f1572e9712fef4a0cc400b7e3
-
SHA256
092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601
-
SHA512
75b8b1ded7466bf3759ddb9503b7a74b31b7821d709c839e6f0e96aa2dff32eb86804d736b45890e08f795a7146972ffe02bc2582e061b98fb952314abb1b694
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2528 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893096858818059" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4104" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.631676" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3928" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.916774" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.165838" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4348" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exedescription pid process Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeIncBasePriorityPrivilege 864 092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe Token: SeBackupPrivilege 3276 TiWorker.exe Token: SeRestorePrivilege 3276 TiWorker.exe Token: SeSecurityPrivilege 3276 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.execmd.exedescription pid process target process PID 864 wrote to memory of 2528 864 092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe MediaCenter.exe PID 864 wrote to memory of 2528 864 092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe MediaCenter.exe PID 864 wrote to memory of 2528 864 092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe MediaCenter.exe PID 864 wrote to memory of 1956 864 092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe cmd.exe PID 864 wrote to memory of 1956 864 092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe cmd.exe PID 864 wrote to memory of 1956 864 092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe cmd.exe PID 1956 wrote to memory of 1856 1956 cmd.exe PING.EXE PID 1956 wrote to memory of 1856 1956 cmd.exe PING.EXE PID 1956 wrote to memory of 1856 1956 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe"C:\Users\Admin\AppData\Local\Temp\092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\092bff8ae1d6e3fe03e7594914ae701a7d3ad8fb68cc29b77d1eec5f81016601.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1856
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3848
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1188
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3276
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cd47c180835104e9233f8b4ed3d8c65e
SHA11ea5d63cc3071375bdb6f103575879ef91c4c36a
SHA256b33241558607556842557890630f85062085ccd3f8d453829812308c3d81cbec
SHA512d1b8a72e8a3fa0ef9498f1794367a19f490a18b39188f5097407ff65f753edf288fe1a993e76eeb42bd727d7db3575a62265af1507fe1d52e2deb3f14756fa5c
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cd47c180835104e9233f8b4ed3d8c65e
SHA11ea5d63cc3071375bdb6f103575879ef91c4c36a
SHA256b33241558607556842557890630f85062085ccd3f8d453829812308c3d81cbec
SHA512d1b8a72e8a3fa0ef9498f1794367a19f490a18b39188f5097407ff65f753edf288fe1a993e76eeb42bd727d7db3575a62265af1507fe1d52e2deb3f14756fa5c