Analysis
-
max time kernel
161s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 11:32
Static task
static1
Behavioral task
behavioral1
Sample
0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe
Resource
win10v2004-en-20220112
General
-
Target
0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe
-
Size
58KB
-
MD5
7c667d7b588421a8aab326b5594d1cf2
-
SHA1
29d8c88473a9b7fb2c0420852697268d07b11756
-
SHA256
0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1
-
SHA512
34a34013fcc47ea5dd2d4b7899dc5dfe8d81e97fd603f054324e64c75c995e13a4808fbf81d165dda507557d10f5f9a3f312b1bca6978a57355108829a2f3a03
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1160 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893169990702774" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4088" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "16.656735" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "8.696690" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.357109" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4288" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3836 0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe Token: SeBackupPrivilege 2696 TiWorker.exe Token: SeRestorePrivilege 2696 TiWorker.exe Token: SeSecurityPrivilege 2696 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.execmd.exedescription pid process target process PID 3836 wrote to memory of 1160 3836 0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe MediaCenter.exe PID 3836 wrote to memory of 1160 3836 0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe MediaCenter.exe PID 3836 wrote to memory of 1160 3836 0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe MediaCenter.exe PID 3836 wrote to memory of 2728 3836 0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe cmd.exe PID 3836 wrote to memory of 2728 3836 0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe cmd.exe PID 3836 wrote to memory of 2728 3836 0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe cmd.exe PID 2728 wrote to memory of 2612 2728 cmd.exe PING.EXE PID 2728 wrote to memory of 2612 2728 cmd.exe PING.EXE PID 2728 wrote to memory of 2612 2728 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe"C:\Users\Admin\AppData\Local\Temp\0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0429aa653e64d95d0e2d8371f25d25b817230f51dc68716011601b8ecb2455d1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2612
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1756
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4e602f6128d16366ef168072bdad1f0e
SHA1968d0ab56450d9d5fabf04f084c43feaa961c68c
SHA256799a8836594d74fc87d29b59b16fb649e296e7b1fb5a44042bcd98cd3e1a0104
SHA512a66e5e67fa8d37450019b1cae1afedffa134e54e1b158d46c25722b6cd7ab7c6172201851ba4ee52fce22cdc29a528dfacd591287589c2a9c5aa25cfe5b2ace6
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4e602f6128d16366ef168072bdad1f0e
SHA1968d0ab56450d9d5fabf04f084c43feaa961c68c
SHA256799a8836594d74fc87d29b59b16fb649e296e7b1fb5a44042bcd98cd3e1a0104
SHA512a66e5e67fa8d37450019b1cae1afedffa134e54e1b158d46c25722b6cd7ab7c6172201851ba4ee52fce22cdc29a528dfacd591287589c2a9c5aa25cfe5b2ace6