Analysis
-
max time kernel
165s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:23
Static task
static1
Behavioral task
behavioral1
Sample
075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe
Resource
win10v2004-en-20220112
General
-
Target
075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe
-
Size
58KB
-
MD5
f3c859f944657978b196d73f3bf56483
-
SHA1
23e4ae27a3f1b81600e226ccad7333c28cedcf92
-
SHA256
075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139
-
SHA512
87405d4f2ae9693052ff2a914bbc3e79f1ee9c2cf92e92d8677b916b396ea77a89a789f36fa00d54bcbc60fd902347a35b041d67dce09808bfaf580b3387c0b8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2808 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4220" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893126464168300" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.631618" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.189747" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4056" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4440" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exedescription pid process Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeIncBasePriorityPrivilege 3116 075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe Token: SeBackupPrivilege 3480 TiWorker.exe Token: SeRestorePrivilege 3480 TiWorker.exe Token: SeSecurityPrivilege 3480 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.execmd.exedescription pid process target process PID 3116 wrote to memory of 2808 3116 075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe MediaCenter.exe PID 3116 wrote to memory of 2808 3116 075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe MediaCenter.exe PID 3116 wrote to memory of 2808 3116 075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe MediaCenter.exe PID 3116 wrote to memory of 2464 3116 075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe cmd.exe PID 3116 wrote to memory of 2464 3116 075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe cmd.exe PID 3116 wrote to memory of 2464 3116 075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe cmd.exe PID 2464 wrote to memory of 3912 2464 cmd.exe PING.EXE PID 2464 wrote to memory of 3912 2464 cmd.exe PING.EXE PID 2464 wrote to memory of 3912 2464 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe"C:\Users\Admin\AppData\Local\Temp\075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\075a5c448648f728cb240f337e412ffff4edd369889c37829da08fe42b55d139.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3912
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2696
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
51f3c49999d3314a5a6b36ffa981e2c2
SHA16d826ec5173f5ad9989ee8dd114013dc13bac2b8
SHA2565246e880a7fa995b332d88332dda5118759a4619e514ccfcf4c8da4548a9825a
SHA512deb5329989384168e5b98b4eaddefa7dfc60cec7b6817f50232947eaee143c896107a9dc2f2c6a5135a24ef06c910f0cb957629cc6a2ee64cca6ab0a06e60d4f
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
51f3c49999d3314a5a6b36ffa981e2c2
SHA16d826ec5173f5ad9989ee8dd114013dc13bac2b8
SHA2565246e880a7fa995b332d88332dda5118759a4619e514ccfcf4c8da4548a9825a
SHA512deb5329989384168e5b98b4eaddefa7dfc60cec7b6817f50232947eaee143c896107a9dc2f2c6a5135a24ef06c910f0cb957629cc6a2ee64cca6ab0a06e60d4f