Analysis
-
max time kernel
167s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:39
Static task
static1
Behavioral task
behavioral1
Sample
170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe
Resource
win10v2004-en-20220112
General
-
Target
170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe
-
Size
80KB
-
MD5
7b62e3d9d30de24b1ea9a0e23217bf6d
-
SHA1
43e63ac050a2ea99f36e2f50d9adc84eefdcd2f5
-
SHA256
170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d
-
SHA512
04f40af1fc875241554e651ee9f312ba80d0b1f97a73850180860770243b9fe09f9431a22ad1f9a74fbf9f938ac5867c76ee12723abc11181734cad5364e9840
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3840 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4156" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.167644" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.142890" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892872829689322" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4352" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2800 170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe Token: SeSecurityPrivilege 1256 TiWorker.exe Token: SeRestorePrivilege 1256 TiWorker.exe Token: SeBackupPrivilege 1256 TiWorker.exe Token: SeBackupPrivilege 1256 TiWorker.exe Token: SeRestorePrivilege 1256 TiWorker.exe Token: SeSecurityPrivilege 1256 TiWorker.exe Token: SeBackupPrivilege 1256 TiWorker.exe Token: SeRestorePrivilege 1256 TiWorker.exe Token: SeSecurityPrivilege 1256 TiWorker.exe Token: SeBackupPrivilege 1256 TiWorker.exe Token: SeRestorePrivilege 1256 TiWorker.exe Token: SeSecurityPrivilege 1256 TiWorker.exe Token: SeBackupPrivilege 1256 TiWorker.exe Token: SeRestorePrivilege 1256 TiWorker.exe Token: SeSecurityPrivilege 1256 TiWorker.exe Token: SeBackupPrivilege 1256 TiWorker.exe Token: SeRestorePrivilege 1256 TiWorker.exe Token: SeSecurityPrivilege 1256 TiWorker.exe Token: SeBackupPrivilege 1256 TiWorker.exe Token: SeRestorePrivilege 1256 TiWorker.exe Token: SeSecurityPrivilege 1256 TiWorker.exe Token: SeBackupPrivilege 1256 TiWorker.exe Token: SeRestorePrivilege 1256 TiWorker.exe Token: SeSecurityPrivilege 1256 TiWorker.exe Token: SeBackupPrivilege 1256 TiWorker.exe Token: SeRestorePrivilege 1256 TiWorker.exe Token: SeSecurityPrivilege 1256 TiWorker.exe Token: SeBackupPrivilege 1256 TiWorker.exe Token: SeRestorePrivilege 1256 TiWorker.exe Token: SeSecurityPrivilege 1256 TiWorker.exe Token: SeBackupPrivilege 1256 TiWorker.exe Token: SeRestorePrivilege 1256 TiWorker.exe Token: SeSecurityPrivilege 1256 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.execmd.exedescription pid process target process PID 2800 wrote to memory of 3840 2800 170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe MediaCenter.exe PID 2800 wrote to memory of 3840 2800 170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe MediaCenter.exe PID 2800 wrote to memory of 3840 2800 170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe MediaCenter.exe PID 2800 wrote to memory of 1576 2800 170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe cmd.exe PID 2800 wrote to memory of 1576 2800 170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe cmd.exe PID 2800 wrote to memory of 1576 2800 170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe cmd.exe PID 1576 wrote to memory of 2956 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 2956 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 2956 1576 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe"C:\Users\Admin\AppData\Local\Temp\170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2956
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3292
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1256
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7e651b9f41a4261f9f410b6001fb80b2
SHA173d9797d62fa25221d6a972b0982d595b1470304
SHA256f2966da1484976efeb2190382811e0e398ab5677794077d349f44c2a9738b43b
SHA512af689bd1ed63efe0ebb2280e08fd5b0e0beb2199bf53f407ae361ae90d6f0c36461694bcbaecafe893c02d7e999f23ccb0e038f32a792b292a056e51027854db
-
MD5
7e651b9f41a4261f9f410b6001fb80b2
SHA173d9797d62fa25221d6a972b0982d595b1470304
SHA256f2966da1484976efeb2190382811e0e398ab5677794077d349f44c2a9738b43b
SHA512af689bd1ed63efe0ebb2280e08fd5b0e0beb2199bf53f407ae361ae90d6f0c36461694bcbaecafe893c02d7e999f23ccb0e038f32a792b292a056e51027854db