Analysis
-
max time kernel
156s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:19
Static task
static1
Behavioral task
behavioral1
Sample
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe
Resource
win10v2004-en-20220112
General
-
Target
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe
-
Size
35KB
-
MD5
5efb42b9fdebeea249c1b3f5201f482e
-
SHA1
ef1a925efbf5eb46fa5255ddd64a032bba58ed0c
-
SHA256
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c
-
SHA512
3e71c3574b36902959f98b1addffe94b64066f28b062cb0973f1b307982295842b4f1c4afe581055bc5ec4ec7c75b2d8a264eed84d4a2f1d458f80251af37faf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3316 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.628798" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.060852" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4404" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4144" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893122115772352" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4196" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exedescription pid process Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeIncBasePriorityPrivilege 3904 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe Token: SeBackupPrivilege 3084 TiWorker.exe Token: SeRestorePrivilege 3084 TiWorker.exe Token: SeSecurityPrivilege 3084 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.execmd.exedescription pid process target process PID 3904 wrote to memory of 3316 3904 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe MediaCenter.exe PID 3904 wrote to memory of 3316 3904 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe MediaCenter.exe PID 3904 wrote to memory of 3316 3904 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe MediaCenter.exe PID 3904 wrote to memory of 528 3904 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe cmd.exe PID 3904 wrote to memory of 528 3904 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe cmd.exe PID 3904 wrote to memory of 528 3904 079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe cmd.exe PID 528 wrote to memory of 660 528 cmd.exe PING.EXE PID 528 wrote to memory of 660 528 cmd.exe PING.EXE PID 528 wrote to memory of 660 528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe"C:\Users\Admin\AppData\Local\Temp\079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\079bd5564fda2138a383db0a7477b5d70933514590d1ff383bcf08424888d59c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:660
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2832
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3560
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
718b7c0d2ff4edcb729b725a0be3a8c0
SHA198059375643e65419358ec6f5b9637e42f0f5867
SHA25625a3eb9909d8734dc08851273c0be6814d7e384263ea64ef1ac5b62f147e8edb
SHA5127ee72bed285154ec68191d6c5411205bd5032be26b14a582688ed7bba2594e284e88e52a29738e7c2bdb930b5fbd5627e931f7b65b2fd5bc25c05b455b4e2463
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
718b7c0d2ff4edcb729b725a0be3a8c0
SHA198059375643e65419358ec6f5b9637e42f0f5867
SHA25625a3eb9909d8734dc08851273c0be6814d7e384263ea64ef1ac5b62f147e8edb
SHA5127ee72bed285154ec68191d6c5411205bd5032be26b14a582688ed7bba2594e284e88e52a29738e7c2bdb930b5fbd5627e931f7b65b2fd5bc25c05b455b4e2463