b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5

General

Target

b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe
Size

126KB
MD5

a7d8623641334264d5121b591b9457d2
SHA1

f8715898b74cc0bb19f085b7c8759462f3b7d3b3
SHA256

b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5
SHA512

025339f40f2249d11ca45d7dc4f04f7e698aa32f47c9af09f616bbd5c4d0fc3f9f05b0327cc5de14150762acab2afc3290b573bdb199e3c438e8e5d9a0a0dcf7

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe"	reg.exe

Drops file in Windows directory 3 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 47 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4192"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899773650147142"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.255221"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.058617"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe

pid	process
1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe
1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe
Token: SeSecurityPrivilege	3532	TiWorker.exe
Token: SeRestorePrivilege	3532	TiWorker.exe
Token: SeBackupPrivilege	3532	TiWorker.exe
Token: SeBackupPrivilege	3532	TiWorker.exe
Token: SeRestorePrivilege	3532	TiWorker.exe
Token: SeSecurityPrivilege	3532	TiWorker.exe
Token: SeBackupPrivilege	3532	TiWorker.exe
Token: SeRestorePrivilege	3532	TiWorker.exe
Token: SeSecurityPrivilege	3532	TiWorker.exe
Token: SeBackupPrivilege	3532	TiWorker.exe
Token: SeRestorePrivilege	3532	TiWorker.exe
Token: SeSecurityPrivilege	3532	TiWorker.exe
Token: SeBackupPrivilege	3532	TiWorker.exe
Token: SeRestorePrivilege	3532	TiWorker.exe
Token: SeSecurityPrivilege	3532	TiWorker.exe
Token: SeBackupPrivilege	3532	TiWorker.exe
Token: SeRestorePrivilege	3532	TiWorker.exe
Token: SeSecurityPrivilege	3532	TiWorker.exe
Token: SeBackupPrivilege	3532	TiWorker.exe
Token: SeRestorePrivilege	3532	TiWorker.exe
Token: SeSecurityPrivilege	3532	TiWorker.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.execmd.exe

description	pid	process	target process
PID 1556 wrote to memory of 364	1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe	cmd.exe
PID 1556 wrote to memory of 364	1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe	cmd.exe
PID 1556 wrote to memory of 364	1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe	cmd.exe
PID 1556 wrote to memory of 2096	1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe	sihost.exe
PID 1556 wrote to memory of 2112	1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe	svchost.exe
PID 1556 wrote to memory of 2156	1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe	taskhostw.exe
PID 1556 wrote to memory of 2416	1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe	svchost.exe
PID 1556 wrote to memory of 2620	1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe	DllHost.exe
PID 364 wrote to memory of 2912	364	cmd.exe	reg.exe
PID 364 wrote to memory of 2912	364	cmd.exe	reg.exe
PID 364 wrote to memory of 2912	364	cmd.exe	reg.exe
PID 1556 wrote to memory of 2728	1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe	StartMenuExperienceHost.exe
PID 1556 wrote to memory of 2888	1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe	RuntimeBroker.exe
PID 1556 wrote to memory of 3032	1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe	SearchApp.exe
PID 1556 wrote to memory of 3108	1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe	RuntimeBroker.exe
PID 1556 wrote to memory of 3460	1556	b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe	RuntimeBroker.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2112

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2156

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2416

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3460

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe
"C:\Users\Admin\AppData\Local\Temp\b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe" /f /reg:64
2⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b11b2876e9b920084435e7e58dc9f7e1ea2cc82f5eeaee3aa90b684c39ce49c5.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:2912

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3696

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3532