Analysis
-
max time kernel
154s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 11:15
Static task
static1
Behavioral task
behavioral1
Sample
04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe
Resource
win10v2004-en-20220112
General
-
Target
04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe
-
Size
58KB
-
MD5
04a977278a8e308e8d30d383cab8efd2
-
SHA1
4950d6516243a763ff82b462f6be612a773388b7
-
SHA256
04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf
-
SHA512
cc0ddcf6532069175b89b663cf31f527289849c2e0e997c7cadd23fc6c03c1576d07b78ff7b9c349825f636d2a7bdde55b9bd1157ba9a6915146e7de211de083
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3600 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893159079701132" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4092" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.361445" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "13.044669" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4292" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 516 04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe Token: SeBackupPrivilege 1264 TiWorker.exe Token: SeRestorePrivilege 1264 TiWorker.exe Token: SeSecurityPrivilege 1264 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.execmd.exedescription pid process target process PID 516 wrote to memory of 3600 516 04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe MediaCenter.exe PID 516 wrote to memory of 3600 516 04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe MediaCenter.exe PID 516 wrote to memory of 3600 516 04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe MediaCenter.exe PID 516 wrote to memory of 1368 516 04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe cmd.exe PID 516 wrote to memory of 1368 516 04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe cmd.exe PID 516 wrote to memory of 1368 516 04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe cmd.exe PID 1368 wrote to memory of 1188 1368 cmd.exe PING.EXE PID 1368 wrote to memory of 1188 1368 cmd.exe PING.EXE PID 1368 wrote to memory of 1188 1368 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe"C:\Users\Admin\AppData\Local\Temp\04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04e0f082c6274ba406063e11597459301b12d8e9168f168a58f2801efe5d35cf.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1188
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2756
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1264
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a3540837ad178af89d3a3f29d02499f3
SHA1ef379fe6d458e96a020cfb1c43bd29c8e2459083
SHA256813de529782fbc83dc65e8a9ac2d7fb3b9bd9961f61a10331ea3403e63e2855d
SHA512d3f310e4c7e53586ead793995e9f33f6a55375e73c761a2efc6d3941a9fbb3a85283e1bb9cfdec24f6f7932d4f27a0927233da800e8f67e4831fea64c82fc899
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a3540837ad178af89d3a3f29d02499f3
SHA1ef379fe6d458e96a020cfb1c43bd29c8e2459083
SHA256813de529782fbc83dc65e8a9ac2d7fb3b9bd9961f61a10331ea3403e63e2855d
SHA512d3f310e4c7e53586ead793995e9f33f6a55375e73c761a2efc6d3941a9fbb3a85283e1bb9cfdec24f6f7932d4f27a0927233da800e8f67e4831fea64c82fc899