Analysis
-
max time kernel
191s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 11:12
Static task
static1
Behavioral task
behavioral1
Sample
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe
Resource
win10v2004-en-20220112
General
-
Target
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe
-
Size
58KB
-
MD5
0758dfc725cb094cd9801b0c83de0561
-
SHA1
cf980ea496395384722c7ca34b302aec485c2dde
-
SHA256
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a
-
SHA512
2b131b3b19765fe44b44ed6604f5114636aa5d1cb34826b1ed480664c835bb8b7ed681b9be5c1ce3026c1739e785c32ce0f110844d4a816b8829a135055e35d2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3268 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 56 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.026546" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4212" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "24.984090" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.568178" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893157152051397" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4220" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exedescription pid process Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeIncBasePriorityPrivilege 1996 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.execmd.exedescription pid process target process PID 1996 wrote to memory of 3268 1996 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe MediaCenter.exe PID 1996 wrote to memory of 3268 1996 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe MediaCenter.exe PID 1996 wrote to memory of 3268 1996 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe MediaCenter.exe PID 1996 wrote to memory of 3796 1996 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe cmd.exe PID 1996 wrote to memory of 3796 1996 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe cmd.exe PID 1996 wrote to memory of 3796 1996 050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe cmd.exe PID 3796 wrote to memory of 3996 3796 cmd.exe PING.EXE PID 3796 wrote to memory of 3996 3796 cmd.exe PING.EXE PID 3796 wrote to memory of 3996 3796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe"C:\Users\Admin\AppData\Local\Temp\050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\050138a9d7f9e33dd57fb70f61aeb66ae68d950c3f851e62567adb146a8a6c3a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:544
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cb611ebfcd6b8af8ee6dcbad767612f0
SHA1a2bc262f64e10cbebed1f6f138715b2fa559afd9
SHA2567c0b1475d179dc48311858d2237644867de456efda8d3075f418ab5317a8c8bd
SHA5122915a5ae2f3de2af5555b734ff259c85275282744e9ff5c6abb3d6332230550369872d421c8e700497d6cbb5b324153b55cac9711ed21270314224f8921ced8c
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cb611ebfcd6b8af8ee6dcbad767612f0
SHA1a2bc262f64e10cbebed1f6f138715b2fa559afd9
SHA2567c0b1475d179dc48311858d2237644867de456efda8d3075f418ab5317a8c8bd
SHA5122915a5ae2f3de2af5555b734ff259c85275282744e9ff5c6abb3d6332230550369872d421c8e700497d6cbb5b324153b55cac9711ed21270314224f8921ced8c