Analysis
-
max time kernel
163s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:38
Static task
static1
Behavioral task
behavioral1
Sample
171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe
Resource
win10v2004-en-20220112
General
-
Target
171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe
-
Size
217KB
-
MD5
cafefaae6b3b3236a0a4a2dd79c94fde
-
SHA1
7513c6b406bfae75c87c2ec4dcbc0c7a39cdaa47
-
SHA256
171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88
-
SHA512
c409559b849e27a8686e709410f2524a27e20352bbcf402e20752e6a9ff5ab2d70bd751639e3144c694de5f2392e8ace2a050e62e590b2d57402c3c7e9cceb9f
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3588-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1184 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.781572" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892872141273061" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4288" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4084" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4300" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.881888" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.143164" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3588 171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe Token: SeBackupPrivilege 3716 TiWorker.exe Token: SeRestorePrivilege 3716 TiWorker.exe Token: SeSecurityPrivilege 3716 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.execmd.exedescription pid process target process PID 3588 wrote to memory of 1184 3588 171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe MediaCenter.exe PID 3588 wrote to memory of 1184 3588 171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe MediaCenter.exe PID 3588 wrote to memory of 1184 3588 171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe MediaCenter.exe PID 3588 wrote to memory of 3252 3588 171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe cmd.exe PID 3588 wrote to memory of 3252 3588 171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe cmd.exe PID 3588 wrote to memory of 3252 3588 171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe cmd.exe PID 3252 wrote to memory of 2652 3252 cmd.exe PING.EXE PID 3252 wrote to memory of 2652 3252 cmd.exe PING.EXE PID 3252 wrote to memory of 2652 3252 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe"C:\Users\Admin\AppData\Local\Temp\171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\171d951d30500240f623efd629ece6b9d00b77bd9436ef55285b7ff52209eb88.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2652
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3600
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2536
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f08a17119d4e3cb5e1a6a0395cbea76e
SHA1fbae3bfdf0284f9059a445a525de153ac35d958d
SHA256465e5df27f0eeb66c11f4e7e9c4f4a8425688c3a005b4242b285ba92b10ea4ef
SHA5126cfd20bbd4b9965b2468edf596a2a116f313553e8add59fc27613a187aac5b930c9ef67217373d0b4631bb1e03f718a2ef6d2883be5f52b8a590e2d6c69f8eca
-
MD5
f08a17119d4e3cb5e1a6a0395cbea76e
SHA1fbae3bfdf0284f9059a445a525de153ac35d958d
SHA256465e5df27f0eeb66c11f4e7e9c4f4a8425688c3a005b4242b285ba92b10ea4ef
SHA5126cfd20bbd4b9965b2468edf596a2a116f313553e8add59fc27613a187aac5b930c9ef67217373d0b4631bb1e03f718a2ef6d2883be5f52b8a590e2d6c69f8eca