Analysis
-
max time kernel
150s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:31
Static task
static1
Behavioral task
behavioral1
Sample
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe
Resource
win10v2004-en-20220112
General
-
Target
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe
-
Size
60KB
-
MD5
59ddc36ba5f6bba4a8652f627c6b2f3d
-
SHA1
a29ef12308ecb77f6aa352fdbbd7186d881d247f
-
SHA256
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d
-
SHA512
3aefe825ee9959da2c9003e8eadeabe90d14e0db3eeb7e8092c8760f4a461bb64341c9479f183fdf9af2b13355d4eda7cd79d2cb2537b042dbcb57002ae0834d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4080 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4196" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4180" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.166113" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893120018328538" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.144927" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3144 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe Token: SeBackupPrivilege 3356 TiWorker.exe Token: SeRestorePrivilege 3356 TiWorker.exe Token: SeSecurityPrivilege 3356 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.execmd.exedescription pid process target process PID 3144 wrote to memory of 4080 3144 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe MediaCenter.exe PID 3144 wrote to memory of 4080 3144 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe MediaCenter.exe PID 3144 wrote to memory of 4080 3144 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe MediaCenter.exe PID 3144 wrote to memory of 3692 3144 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe cmd.exe PID 3144 wrote to memory of 3692 3144 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe cmd.exe PID 3144 wrote to memory of 3692 3144 06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe cmd.exe PID 3692 wrote to memory of 2080 3692 cmd.exe PING.EXE PID 3692 wrote to memory of 2080 3692 cmd.exe PING.EXE PID 3692 wrote to memory of 2080 3692 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe"C:\Users\Admin\AppData\Local\Temp\06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06ed3918a3d4169db47075e428c3476eda9bc68ab74de1efe63efea2b707940d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2080
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1308
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3432
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3356
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2295c5a1780a86c7570c34b3eaaa320d
SHA1609b6f6fc5bee3c57034d62890f3f358cec41926
SHA256aba6c9893ad69b98e9b5693f6914ab694a0a515dcc9d6c89d8e5f3885f229fd5
SHA512c12b57e1289a3d0d53e41380ebdf17d0cd23b4a0383505f941d18e10d0ed62042a1ec7bebb04f8f9302f4ba5992fa603448603fde06d1b6bb2ca5c137c19b7c2
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2295c5a1780a86c7570c34b3eaaa320d
SHA1609b6f6fc5bee3c57034d62890f3f358cec41926
SHA256aba6c9893ad69b98e9b5693f6914ab694a0a515dcc9d6c89d8e5f3885f229fd5
SHA512c12b57e1289a3d0d53e41380ebdf17d0cd23b4a0383505f941d18e10d0ed62042a1ec7bebb04f8f9302f4ba5992fa603448603fde06d1b6bb2ca5c137c19b7c2