Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe
Resource
win10v2004-en-20220112
General
-
Target
0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe
-
Size
35KB
-
MD5
dc2ffea6aa5d6a2cb88de7e235c6e5af
-
SHA1
6003d6bf212dd54afb79ddf0c0410396815c17d3
-
SHA256
0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90
-
SHA512
7ad48a0b5782344e4110b1d1fdbe7d816ec9a81ca199b5e08511a6c9b2574a9d13c442a0c97a609e8a27e44b7020490545b6ddfcfbbc0ccdebb80276d3616eba
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 908 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 54 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4320" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.124896" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4176" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4340" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893152890967592" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "12.495801" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.777794" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exedescription pid process Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeIncBasePriorityPrivilege 1504 0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe Token: SeBackupPrivilege 3500 TiWorker.exe Token: SeRestorePrivilege 3500 TiWorker.exe Token: SeSecurityPrivilege 3500 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.execmd.exedescription pid process target process PID 1504 wrote to memory of 908 1504 0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe MediaCenter.exe PID 1504 wrote to memory of 908 1504 0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe MediaCenter.exe PID 1504 wrote to memory of 908 1504 0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe MediaCenter.exe PID 1504 wrote to memory of 3816 1504 0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe cmd.exe PID 1504 wrote to memory of 3816 1504 0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe cmd.exe PID 1504 wrote to memory of 3816 1504 0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe cmd.exe PID 3816 wrote to memory of 3560 3816 cmd.exe PING.EXE PID 3816 wrote to memory of 3560 3816 cmd.exe PING.EXE PID 3816 wrote to memory of 3560 3816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe"C:\Users\Admin\AppData\Local\Temp\0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0540ed18ac984764ddb9f1a90d52e83d1ab98d9e24bc875799785f411afdfe90.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3560
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2816
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3356
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
17580e79491a809eb6df0d57f24fae6c
SHA15b80a75cf6938b40da1a41564aea9292ede50971
SHA2566dcfc70d8fa9b709e1b90bfd830ef89c9db8e9c93e869917cd789b82a40d0a3a
SHA512aa9b45e8569f58df1e635f080983ad78ae657155b638abf58d851d623f73a9be56cae700cf7ce994a368ec0004e90dba4ea4a10cdd8a066522cb2cf9c926e98a
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
17580e79491a809eb6df0d57f24fae6c
SHA15b80a75cf6938b40da1a41564aea9292ede50971
SHA2566dcfc70d8fa9b709e1b90bfd830ef89c9db8e9c93e869917cd789b82a40d0a3a
SHA512aa9b45e8569f58df1e635f080983ad78ae657155b638abf58d851d623f73a9be56cae700cf7ce994a368ec0004e90dba4ea4a10cdd8a066522cb2cf9c926e98a