Analysis
-
max time kernel
148s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:50
Static task
static1
Behavioral task
behavioral1
Sample
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe
Resource
win10v2004-en-20220112
General
-
Target
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe
-
Size
58KB
-
MD5
b56d1b4abf55a0b333f145dad7b52ecb
-
SHA1
925d2dd7f9cfa1b53a27724cf9852d6cc6725568
-
SHA256
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8
-
SHA512
16d049f21ccb48bb845d1e69ac233a15236035c48b9677992c48c8a14b8229e9edc6ba6792a56fae5c74272a17c476840f009cf1100b27826927f1b4f8ee631d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2384 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4304" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.168350" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4312" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.633818" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893142320964384" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1020 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.execmd.exedescription pid process target process PID 1020 wrote to memory of 2384 1020 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe MediaCenter.exe PID 1020 wrote to memory of 2384 1020 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe MediaCenter.exe PID 1020 wrote to memory of 2384 1020 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe MediaCenter.exe PID 1020 wrote to memory of 4048 1020 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe cmd.exe PID 1020 wrote to memory of 4048 1020 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe cmd.exe PID 1020 wrote to memory of 4048 1020 060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe cmd.exe PID 4048 wrote to memory of 1220 4048 cmd.exe PING.EXE PID 4048 wrote to memory of 1220 4048 cmd.exe PING.EXE PID 4048 wrote to memory of 1220 4048 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe"C:\Users\Admin\AppData\Local\Temp\060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\060430bf5a317aad42dbc964c406e3a9a66a7525d60136d55f0dd5901b81a5b8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1220
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1800
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1208
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
52c635299101d7e89f1b18a17c6bbd0e
SHA1e3076be23e44c63cf7ffa47f971061e3345fbb12
SHA2568740a5c9f80dbcc624c13e0222a5e23ee5c2d225f37da73c4b13d13dec689e55
SHA5129db82b081204a81f6f5db3b71e2d8eb5e9e7e7b3853f8662c19691258c05c2b61c93f692abbe8cdd0ed2c5cb754fbfb1a8cc36c550d69b55478d16772ce78697
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
52c635299101d7e89f1b18a17c6bbd0e
SHA1e3076be23e44c63cf7ffa47f971061e3345fbb12
SHA2568740a5c9f80dbcc624c13e0222a5e23ee5c2d225f37da73c4b13d13dec689e55
SHA5129db82b081204a81f6f5db3b71e2d8eb5e9e7e7b3853f8662c19691258c05c2b61c93f692abbe8cdd0ed2c5cb754fbfb1a8cc36c550d69b55478d16772ce78697