Analysis
-
max time kernel
172s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:54
Static task
static1
Behavioral task
behavioral1
Sample
05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exe
Resource
win10v2004-en-20220112
General
-
Target
05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exe
-
Size
58KB
-
MD5
5ac575469a24de65969a17c2f244ac45
-
SHA1
b2043f6dec1426bb018d7d9927e8cb43063faf22
-
SHA256
05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494
-
SHA512
0cb41d4827fbc675c041792b91420e41233729018cec1fc6006a36f6976d3b7954299711650be2d63dabdb36748fd7b3dd6dac33fe0d86ebce0f650facbb9f91
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1900 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.152900" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006580" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4356" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4172" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3984" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "16.674870" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "12.510008" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893144351505570" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe Token: SeRestorePrivilege 2988 TiWorker.exe Token: SeSecurityPrivilege 2988 TiWorker.exe Token: SeBackupPrivilege 2988 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.execmd.exedescription pid process target process PID 3076 wrote to memory of 1900 3076 05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exe MediaCenter.exe PID 3076 wrote to memory of 1900 3076 05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exe MediaCenter.exe PID 3076 wrote to memory of 1900 3076 05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exe MediaCenter.exe PID 3076 wrote to memory of 2212 3076 05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exe cmd.exe PID 3076 wrote to memory of 2212 3076 05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exe cmd.exe PID 3076 wrote to memory of 2212 3076 05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exe cmd.exe PID 2212 wrote to memory of 3504 2212 cmd.exe PING.EXE PID 2212 wrote to memory of 3504 2212 cmd.exe PING.EXE PID 2212 wrote to memory of 3504 2212 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exe"C:\Users\Admin\AppData\Local\Temp\05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05d8c8070d5f4514166442230f1f1b35114a6fe1cf0dba98ead5d46bd1a32494.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3504
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 01⤵
- Checks processor information in registry
PID:2268
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:660
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6c9ae8cf7756883f3f1b848d3a0fdebe
SHA1d1cb276ce0ab9ba9dddb2868f39955c7960cc85a
SHA25646ec7f4af51dc51b58c7c4b7bf0d13113111318f4d0f8276c1a4331a79c3e188
SHA51219ead1d989e33ca4f589323b58d91ad8a4107a2aea1cd1da39e0f2645ea545629c8d7a00e3dc6b3b4d46ccd761d32fac9fc1d22c67e8c2285a9d7adc40ecb0e4
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6c9ae8cf7756883f3f1b848d3a0fdebe
SHA1d1cb276ce0ab9ba9dddb2868f39955c7960cc85a
SHA25646ec7f4af51dc51b58c7c4b7bf0d13113111318f4d0f8276c1a4331a79c3e188
SHA51219ead1d989e33ca4f589323b58d91ad8a4107a2aea1cd1da39e0f2645ea545629c8d7a00e3dc6b3b4d46ccd761d32fac9fc1d22c67e8c2285a9d7adc40ecb0e4