Analysis
-
max time kernel
156s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:05
Static task
static1
Behavioral task
behavioral1
Sample
1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe
Resource
win10v2004-en-20220112
General
-
Target
1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe
-
Size
100KB
-
MD5
d3b4a936517625d7bcfbf83c8c23c369
-
SHA1
ecd4bb20c9de0f49f9ff0f97395183b8507c0781
-
SHA256
1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94
-
SHA512
e6bcef338928f6dfc2d07fc05ad415ae8118ca7ee1011232b8a33513b5b8dc7ed067555787e67b8b6dbe04527a4d67af1e045f0e9b3137b94f17c56dbf61e146
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3760 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.184211" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4380" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4180" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892852799403482" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "16.654658" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.263427" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1492 1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe Token: SeSecurityPrivilege 2260 TiWorker.exe Token: SeRestorePrivilege 2260 TiWorker.exe Token: SeBackupPrivilege 2260 TiWorker.exe Token: SeBackupPrivilege 2260 TiWorker.exe Token: SeRestorePrivilege 2260 TiWorker.exe Token: SeSecurityPrivilege 2260 TiWorker.exe Token: SeBackupPrivilege 2260 TiWorker.exe Token: SeRestorePrivilege 2260 TiWorker.exe Token: SeSecurityPrivilege 2260 TiWorker.exe Token: SeBackupPrivilege 2260 TiWorker.exe Token: SeRestorePrivilege 2260 TiWorker.exe Token: SeSecurityPrivilege 2260 TiWorker.exe Token: SeBackupPrivilege 2260 TiWorker.exe Token: SeRestorePrivilege 2260 TiWorker.exe Token: SeSecurityPrivilege 2260 TiWorker.exe Token: SeBackupPrivilege 2260 TiWorker.exe Token: SeRestorePrivilege 2260 TiWorker.exe Token: SeSecurityPrivilege 2260 TiWorker.exe Token: SeBackupPrivilege 2260 TiWorker.exe Token: SeRestorePrivilege 2260 TiWorker.exe Token: SeSecurityPrivilege 2260 TiWorker.exe Token: SeBackupPrivilege 2260 TiWorker.exe Token: SeRestorePrivilege 2260 TiWorker.exe Token: SeSecurityPrivilege 2260 TiWorker.exe Token: SeBackupPrivilege 2260 TiWorker.exe Token: SeRestorePrivilege 2260 TiWorker.exe Token: SeSecurityPrivilege 2260 TiWorker.exe Token: SeBackupPrivilege 2260 TiWorker.exe Token: SeRestorePrivilege 2260 TiWorker.exe Token: SeSecurityPrivilege 2260 TiWorker.exe Token: SeBackupPrivilege 2260 TiWorker.exe Token: SeRestorePrivilege 2260 TiWorker.exe Token: SeSecurityPrivilege 2260 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.execmd.exedescription pid process target process PID 1492 wrote to memory of 3760 1492 1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe MediaCenter.exe PID 1492 wrote to memory of 3760 1492 1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe MediaCenter.exe PID 1492 wrote to memory of 3760 1492 1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe MediaCenter.exe PID 1492 wrote to memory of 2436 1492 1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe cmd.exe PID 1492 wrote to memory of 2436 1492 1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe cmd.exe PID 1492 wrote to memory of 2436 1492 1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe cmd.exe PID 2436 wrote to memory of 812 2436 cmd.exe PING.EXE PID 2436 wrote to memory of 812 2436 cmd.exe PING.EXE PID 2436 wrote to memory of 812 2436 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe"C:\Users\Admin\AppData\Local\Temp\1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1898a0fb93b22dc2f9fbac5178283fe47e828189359f8247691b29f2aae1bc94.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:812
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3652
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1480
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9e2e01e8aa68e5bd69a0bbb06072986a
SHA19c86bd47409aca5b3c0378983860d7b7d6b89a9a
SHA2566871f587b5c390aebf102f2578dd09a14ad69a71a50578aa13d915ed6c21eacf
SHA512f3d81f3059988236472dce98fabe0d9834d1f2aa87993c1859d72b1631b96c8c548b7f87298e9294f33be60fa3331ac993f9d2b8caa281b46ac5943736f27f14
-
MD5
9e2e01e8aa68e5bd69a0bbb06072986a
SHA19c86bd47409aca5b3c0378983860d7b7d6b89a9a
SHA2566871f587b5c390aebf102f2578dd09a14ad69a71a50578aa13d915ed6c21eacf
SHA512f3d81f3059988236472dce98fabe0d9834d1f2aa87993c1859d72b1631b96c8c548b7f87298e9294f33be60fa3331ac993f9d2b8caa281b46ac5943736f27f14