Analysis
-
max time kernel
159s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:36
Static task
static1
Behavioral task
behavioral1
Sample
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe
Resource
win10v2004-en-20220112
General
-
Target
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe
-
Size
60KB
-
MD5
98277bd1adff6b1265332dcce9ba70bd
-
SHA1
4cf764c6743f556ae168758b39e50266aceabc72
-
SHA256
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b
-
SHA512
3d6204c817d1007d45d4c733b03cf43890044af71113ee946c7dffa5f1e09f4f024d4eee6692552444297b7771b51c201c06200d4e73efad5b3e90554e894e79
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3300 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.250179" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893132289772245" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.941427" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4172" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4420" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.042589" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3312 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe Token: SeBackupPrivilege 1160 TiWorker.exe Token: SeRestorePrivilege 1160 TiWorker.exe Token: SeSecurityPrivilege 1160 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.execmd.exedescription pid process target process PID 3312 wrote to memory of 3300 3312 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe MediaCenter.exe PID 3312 wrote to memory of 3300 3312 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe MediaCenter.exe PID 3312 wrote to memory of 3300 3312 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe MediaCenter.exe PID 3312 wrote to memory of 2904 3312 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe cmd.exe PID 3312 wrote to memory of 2904 3312 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe cmd.exe PID 3312 wrote to memory of 2904 3312 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe cmd.exe PID 2904 wrote to memory of 684 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 684 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 684 2904 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe"C:\Users\Admin\AppData\Local\Temp\06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:684
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1460
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3408
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1a2f7f26b0b3a2560294a437a57b91d0
SHA15a281321494723e82791c7c7aa83881c86bec6ee
SHA2564a489060c7c891d27a950d818940ca257f26dec908bc89568d3f7ee1a36f37ee
SHA512c146a9a954b2952eda7696519716863a17c8fc35b769440f7dcf14c9ed9ef59d184c58b50d6af0f0f9f07e7105e2b319df2fbb3522b8caea5ecc0e438c1447c2
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1a2f7f26b0b3a2560294a437a57b91d0
SHA15a281321494723e82791c7c7aa83881c86bec6ee
SHA2564a489060c7c891d27a950d818940ca257f26dec908bc89568d3f7ee1a36f37ee
SHA512c146a9a954b2952eda7696519716863a17c8fc35b769440f7dcf14c9ed9ef59d184c58b50d6af0f0f9f07e7105e2b319df2fbb3522b8caea5ecc0e438c1447c2