Analysis
-
max time kernel
173s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:28
Static task
static1
Behavioral task
behavioral1
Sample
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe
Resource
win10v2004-en-20220112
General
-
Target
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe
-
Size
101KB
-
MD5
f5a1aae9180bfc2b94e107c28137ed02
-
SHA1
0f036369680bc684eefd7ff3ab246f32d394ba27
-
SHA256
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3
-
SHA512
102fa17d91a079dccb18818feb6a841becd5071f3dbd6ac931252bfaea09cae6c2bacd73adcbd809c42809ef81155482110e12a6d691353bde84dd141b5a15a2
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1112 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 48 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4136" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4240" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.241255" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892866759076915" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1232 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe Token: SeBackupPrivilege 2100 TiWorker.exe Token: SeRestorePrivilege 2100 TiWorker.exe Token: SeSecurityPrivilege 2100 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.execmd.exedescription pid process target process PID 1232 wrote to memory of 1112 1232 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe MediaCenter.exe PID 1232 wrote to memory of 1112 1232 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe MediaCenter.exe PID 1232 wrote to memory of 1112 1232 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe MediaCenter.exe PID 1232 wrote to memory of 964 1232 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe cmd.exe PID 1232 wrote to memory of 964 1232 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe cmd.exe PID 1232 wrote to memory of 964 1232 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe cmd.exe PID 964 wrote to memory of 2204 964 cmd.exe PING.EXE PID 964 wrote to memory of 2204 964 cmd.exe PING.EXE PID 964 wrote to memory of 2204 964 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe"C:\Users\Admin\AppData\Local\Temp\179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2204
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4048
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9e4be56473f1b37ee8f2d633c62fded0
SHA1c221d2293379145a0cbd113ccf572f8bcedf6f5e
SHA256fc63b10d8ca37dd98a7a1a047c24dc2aa008f44b6182f9fc7f571926ee843d88
SHA51253922e388f7ff9a5473e89c2ad98512b8383c9e50502a018a6ed00e7a73820b4f1c35ccf466132e472be26fcfe513901ac1888ca25e8580a2930a81f9b0cbdaa
-
MD5
9e4be56473f1b37ee8f2d633c62fded0
SHA1c221d2293379145a0cbd113ccf572f8bcedf6f5e
SHA256fc63b10d8ca37dd98a7a1a047c24dc2aa008f44b6182f9fc7f571926ee843d88
SHA51253922e388f7ff9a5473e89c2ad98512b8383c9e50502a018a6ed00e7a73820b4f1c35ccf466132e472be26fcfe513901ac1888ca25e8580a2930a81f9b0cbdaa