Analysis
-
max time kernel
175s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 12:52
Static task
static1
Behavioral task
behavioral1
Sample
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe
Resource
win10v2004-en-20220112
General
-
Target
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe
-
Size
36KB
-
MD5
755a0ec4ea5d0e197f371946e79c0fa4
-
SHA1
8c1624e8e8b6ac4f89377f221101de904a009b8c
-
SHA256
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5
-
SHA512
9f13eeed8ac5541ca535555fa05ce95cbb494df112f7cfe74a69917474cece18a87d11064119da4cc4ffde34701603e0d1e40e4ba310416a7b3a3c3a0717cd81
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3044 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4232" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893213590909944" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "12.120930" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4440" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3960 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe Token: SeBackupPrivilege 3092 TiWorker.exe Token: SeRestorePrivilege 3092 TiWorker.exe Token: SeSecurityPrivilege 3092 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.execmd.exedescription pid process target process PID 3960 wrote to memory of 3044 3960 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe MediaCenter.exe PID 3960 wrote to memory of 3044 3960 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe MediaCenter.exe PID 3960 wrote to memory of 3044 3960 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe MediaCenter.exe PID 3960 wrote to memory of 1976 3960 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe cmd.exe PID 3960 wrote to memory of 1976 3960 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe cmd.exe PID 3960 wrote to memory of 1976 3960 0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe cmd.exe PID 1976 wrote to memory of 2252 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 2252 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 2252 1976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe"C:\Users\Admin\AppData\Local\Temp\0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0017d00956678c0299447e2568dae8715c26c428b702d6b0c30832065697e9c5.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c58e745a2b6d36084f66d898bd1dd4eb
SHA18a30747ccf8eeb65d5b415a49d3190f24a187e47
SHA2564f2857d08ea713905dd96e3232f1a0a9589ae379e72331075681eec605d2347f
SHA512aa453c1b8fa8b9d10d146ed6f95bc303f24da3fe074833d03ee13cae9591fef5ac91b22a83fb2975efafcdbc43b9a6704229ed8175e66c253a8bbfff20ad375c
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c58e745a2b6d36084f66d898bd1dd4eb
SHA18a30747ccf8eeb65d5b415a49d3190f24a187e47
SHA2564f2857d08ea713905dd96e3232f1a0a9589ae379e72331075681eec605d2347f
SHA512aa453c1b8fa8b9d10d146ed6f95bc303f24da3fe074833d03ee13cae9591fef5ac91b22a83fb2975efafcdbc43b9a6704229ed8175e66c253a8bbfff20ad375c