Analysis
-
max time kernel
176s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 09:54
Static task
static1
Behavioral task
behavioral1
Sample
089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe
Resource
win10v2004-en-20220112
General
-
Target
089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe
-
Size
60KB
-
MD5
b87cc2abca0eda8e01106c1680afe3ed
-
SHA1
779d7ab5059480018d2aed5e65b659b97ff36821
-
SHA256
089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925
-
SHA512
8e3e5ff01750c8f5aa858d1d6208643e173567296f1d56203443c68aa1af57a2b9ffd1b4985e9fcba274eb1c255182ad9a28a89ea9a353a9c845f0183f78441e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1304 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exeMusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4172" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.881886" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4324" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.545399" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893104418788993" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.424833" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1792 089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe Token: SeBackupPrivilege 3540 TiWorker.exe Token: SeRestorePrivilege 3540 TiWorker.exe Token: SeSecurityPrivilege 3540 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.execmd.exedescription pid process target process PID 1792 wrote to memory of 1304 1792 089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe MediaCenter.exe PID 1792 wrote to memory of 1304 1792 089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe MediaCenter.exe PID 1792 wrote to memory of 1304 1792 089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe MediaCenter.exe PID 1792 wrote to memory of 1808 1792 089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe cmd.exe PID 1792 wrote to memory of 1808 1792 089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe cmd.exe PID 1792 wrote to memory of 1808 1792 089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe cmd.exe PID 1808 wrote to memory of 844 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 844 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 844 1808 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe"C:\Users\Admin\AppData\Local\Temp\089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\089f5a0c7bd58ac3f5db7b82193fe5516e0dd1a943de27f5f0398dd86627e925.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:844
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1232
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2652
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3888
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
882bc91df8361416d6414be380f99f7f
SHA1efb84f11586305a7260c0b49451569a3c1a6e073
SHA256f2e1babeaf379f3d6e8d4faac69c6e355dc73ab14b2d55a1c017ca6d5eed460e
SHA512d415a2f41519dd8607ea6c9bcc93b8fc601dd0fc0aaa755c6ced0fea69cadda0f9f2ca642d218ed8b104f6e7c94fa810e103c9855afeb6c55a9613ed8425fe53
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
882bc91df8361416d6414be380f99f7f
SHA1efb84f11586305a7260c0b49451569a3c1a6e073
SHA256f2e1babeaf379f3d6e8d4faac69c6e355dc73ab14b2d55a1c017ca6d5eed460e
SHA512d415a2f41519dd8607ea6c9bcc93b8fc601dd0fc0aaa755c6ced0fea69cadda0f9f2ca642d218ed8b104f6e7c94fa810e103c9855afeb6c55a9613ed8425fe53