Analysis
-
max time kernel
172s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:36
Static task
static1
Behavioral task
behavioral1
Sample
06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe
Resource
win10v2004-en-20220112
General
-
Target
06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe
-
Size
60KB
-
MD5
62445e96c7cc3c8a7d53f96de17968bf
-
SHA1
a912e166f72047c2a50a600a2535080f351dfa4f
-
SHA256
06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278
-
SHA512
59683b8d725cc3e5cb56e6083621fb80aca05cd1a67a9c8162217233ff2874df941f3407c74973ced8af453dda216183e5108f9fbf488fe4846dab634937c840
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2836 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 53 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4336" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.104094" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.207125" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "17.857420" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893133579527647" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4092" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exedescription pid process Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeIncBasePriorityPrivilege 1844 06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe Token: SeBackupPrivilege 2512 TiWorker.exe Token: SeRestorePrivilege 2512 TiWorker.exe Token: SeSecurityPrivilege 2512 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.execmd.exedescription pid process target process PID 1844 wrote to memory of 2836 1844 06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe MediaCenter.exe PID 1844 wrote to memory of 2836 1844 06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe MediaCenter.exe PID 1844 wrote to memory of 2836 1844 06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe MediaCenter.exe PID 1844 wrote to memory of 2908 1844 06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe cmd.exe PID 1844 wrote to memory of 2908 1844 06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe cmd.exe PID 1844 wrote to memory of 2908 1844 06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe cmd.exe PID 2908 wrote to memory of 3548 2908 cmd.exe PING.EXE PID 2908 wrote to memory of 3548 2908 cmd.exe PING.EXE PID 2908 wrote to memory of 3548 2908 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe"C:\Users\Admin\AppData\Local\Temp\06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06bd1dc33846dc49a26d4ffd83c0750c6927d1756682073a86ae49f4ab0aa278.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3548
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2904
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3900
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b34e51c4771e9b599fbfe1eae4567f4c
SHA1ade70ca0abee807a99ff12e8c7af1e2312037cd1
SHA256daffb52471e27829a23cbf8e0c1bd3f1468d97fa74ed86ed09e98e4e34887c98
SHA512892e611da7fff00fc2ebe4bb8f6c5acb7f6148964f4d39370b73a13f6954f4a37fc08b788556aeb399c0916dd968c16a8989e3109c316fcf9d08d00cbd48618c
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b34e51c4771e9b599fbfe1eae4567f4c
SHA1ade70ca0abee807a99ff12e8c7af1e2312037cd1
SHA256daffb52471e27829a23cbf8e0c1bd3f1468d97fa74ed86ed09e98e4e34887c98
SHA512892e611da7fff00fc2ebe4bb8f6c5acb7f6148964f4d39370b73a13f6954f4a37fc08b788556aeb399c0916dd968c16a8989e3109c316fcf9d08d00cbd48618c