Analysis
-
max time kernel
169s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:38
Static task
static1
Behavioral task
behavioral1
Sample
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe
Resource
win10v2004-en-20220112
General
-
Target
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe
-
Size
99KB
-
MD5
4c6b59a14f1a41ce216a7f36611607f5
-
SHA1
d40254548dfac75a498cd91921f0226d2c4d9573
-
SHA256
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee
-
SHA512
3f42525ea93c5e6cd3df2fb1acfa76576c8c0e16431c80b2a9a08d2cda6221b7e78cd7647694310619608b6766c9bcd3705cf945432b70a9cb9ba01377efc866
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 208 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 54 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4276" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4312" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "9.999501" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4104" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.555176" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892872092763944" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.098375" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2400 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe Token: SeBackupPrivilege 4080 TiWorker.exe Token: SeRestorePrivilege 4080 TiWorker.exe Token: SeSecurityPrivilege 4080 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.execmd.exedescription pid process target process PID 2400 wrote to memory of 208 2400 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe MediaCenter.exe PID 2400 wrote to memory of 208 2400 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe MediaCenter.exe PID 2400 wrote to memory of 208 2400 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe MediaCenter.exe PID 2400 wrote to memory of 2012 2400 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe cmd.exe PID 2400 wrote to memory of 2012 2400 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe cmd.exe PID 2400 wrote to memory of 2012 2400 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe cmd.exe PID 2012 wrote to memory of 4088 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 4088 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 4088 2012 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe"C:\Users\Admin\AppData\Local\Temp\171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4088
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3572
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4080
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
783e864440131ec7841e46335bf220d7
SHA14ef0ffcbdb3b2d760ec939e99e5555161c7a27a3
SHA256c589a18ecb27661f73ea0fbe9c0d19e173f46a68ab2716fee4b5c71d2c7194c8
SHA512c1b9ad7c735243264850ab8bdd24413046b7e36a5fb8070c54907545c5b532cc56dfe08f15edc78413d6fbf8ce9a12d266f761755a503ea707aae2774dc59da8
-
MD5
783e864440131ec7841e46335bf220d7
SHA14ef0ffcbdb3b2d760ec939e99e5555161c7a27a3
SHA256c589a18ecb27661f73ea0fbe9c0d19e173f46a68ab2716fee4b5c71d2c7194c8
SHA512c1b9ad7c735243264850ab8bdd24413046b7e36a5fb8070c54907545c5b532cc56dfe08f15edc78413d6fbf8ce9a12d266f761755a503ea707aae2774dc59da8