Analysis
-
max time kernel
154s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 02:50
Static task
static1
Behavioral task
behavioral1
Sample
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe
Resource
win10v2004-en-20220112
General
-
Target
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe
-
Size
192KB
-
MD5
2d5fde9ea0e4b71dcd627a5d1cccc532
-
SHA1
c2af6d9d553988a99bc9594e78c177af80bbe060
-
SHA256
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e
-
SHA512
869cd380f9836a5895b109daff673a6cd2b93a7b523d0fc37aaf532210da183b6c5dac2218374eda8e4a9f4f2537078acf41079df2f4d14a13c0166b3bf2d02e
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3636 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "12.498074" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4092" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892842803170116" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4348" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4352" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.729741" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1584 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe Token: SeBackupPrivilege 544 TiWorker.exe Token: SeRestorePrivilege 544 TiWorker.exe Token: SeSecurityPrivilege 544 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.execmd.exedescription pid process target process PID 1584 wrote to memory of 3636 1584 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe MediaCenter.exe PID 1584 wrote to memory of 3636 1584 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe MediaCenter.exe PID 1584 wrote to memory of 3636 1584 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe MediaCenter.exe PID 1584 wrote to memory of 4036 1584 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe cmd.exe PID 1584 wrote to memory of 4036 1584 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe cmd.exe PID 1584 wrote to memory of 4036 1584 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe cmd.exe PID 4036 wrote to memory of 1800 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 1800 4036 cmd.exe PING.EXE PID 4036 wrote to memory of 1800 4036 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe"C:\Users\Admin\AppData\Local\Temp\196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1800
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3912
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3556
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
56e35523939909f5ee612e3ca7838f3e
SHA166e7fc9cf3165e23ec06ef570b82b27673fff116
SHA2562098a4392d2835477c2bccf1e8829de67042b8b4832c107a6fb03be25d21680a
SHA512f7d61d59f87d95954a171eaa80b0d833cbfe168e746cc748450041ba26bda670edd7f65219eb5e510553313051b2efd087b150a8131db3dd73be5cc598d7e4a8
-
MD5
56e35523939909f5ee612e3ca7838f3e
SHA166e7fc9cf3165e23ec06ef570b82b27673fff116
SHA2562098a4392d2835477c2bccf1e8829de67042b8b4832c107a6fb03be25d21680a
SHA512f7d61d59f87d95954a171eaa80b0d833cbfe168e746cc748450041ba26bda670edd7f65219eb5e510553313051b2efd087b150a8131db3dd73be5cc598d7e4a8