Analysis
-
max time kernel
169s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:06
Static task
static1
Behavioral task
behavioral1
Sample
188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe
Resource
win10v2004-en-20220112
General
-
Target
188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe
-
Size
216KB
-
MD5
4cfa10f30c3d09c1d441c35ad3b055ce
-
SHA1
d6cb76b9986e9b5669ddf0f00743c5ff8e62da54
-
SHA256
188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564
-
SHA512
876c4e7cb813450cf5ec17aeca9cd609627ccb82f8c39239c2d5ef465722ec3af91fd1b36566ea6430310d125f4800896cfa7c4d3970b8b39a8890f9021ff21b
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3564-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1208-133-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1208 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892853354047649" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.132094" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4308" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.521790" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4124" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3564 188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe Token: SeBackupPrivilege 2544 TiWorker.exe Token: SeRestorePrivilege 2544 TiWorker.exe Token: SeSecurityPrivilege 2544 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.execmd.exedescription pid process target process PID 3564 wrote to memory of 1208 3564 188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe MediaCenter.exe PID 3564 wrote to memory of 1208 3564 188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe MediaCenter.exe PID 3564 wrote to memory of 1208 3564 188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe MediaCenter.exe PID 3564 wrote to memory of 2140 3564 188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe cmd.exe PID 3564 wrote to memory of 2140 3564 188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe cmd.exe PID 3564 wrote to memory of 2140 3564 188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe cmd.exe PID 2140 wrote to memory of 2748 2140 cmd.exe PING.EXE PID 2140 wrote to memory of 2748 2140 cmd.exe PING.EXE PID 2140 wrote to memory of 2748 2140 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe"C:\Users\Admin\AppData\Local\Temp\188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\188bea33b9aa52315eca9c5dcc3e66c835378528ab6ff23defeeae90d52cc564.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2748
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:220
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3476
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2319c104d738913a2ee30e4560ed3ca4
SHA113fade5945c34035c42fe1567dab731fc3b74f50
SHA256ca525a713e6293750f84203d960cd1c2659e6f151dda67f7b13841f0908141b4
SHA512ecc33acd41b291028336fff2bd8f8aead6031102b492e039c94668a98b0e664d34b1c0abea9d0ac6d042fa419113a0de552f78cd41b3b86f749e081c2638f31b
-
MD5
2319c104d738913a2ee30e4560ed3ca4
SHA113fade5945c34035c42fe1567dab731fc3b74f50
SHA256ca525a713e6293750f84203d960cd1c2659e6f151dda67f7b13841f0908141b4
SHA512ecc33acd41b291028336fff2bd8f8aead6031102b492e039c94668a98b0e664d34b1c0abea9d0ac6d042fa419113a0de552f78cd41b3b86f749e081c2638f31b