Analysis
-
max time kernel
160s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:11
Static task
static1
Behavioral task
behavioral1
Sample
1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe
Resource
win10v2004-en-20220112
General
-
Target
1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe
-
Size
100KB
-
MD5
15c2cb57974285a8f458266771069ee7
-
SHA1
ebf0037b0b1e3aaac4ec945d7606ee938250d964
-
SHA256
1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7
-
SHA512
e377ebd17a3b688119f8bcc79804e2d74d3d6dc3b14de41a6101a1fed7a092fc38003de457088da10bb5b7720efaa7a2348be1f9e5cb9fce17488511e5ee13dd
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 688 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe -
Drops file in Windows directory 2 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exeMusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 19 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2312 1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe Token: SeBackupPrivilege 3820 TiWorker.exe Token: SeRestorePrivilege 3820 TiWorker.exe Token: SeSecurityPrivilege 3820 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.execmd.exedescription pid process target process PID 2312 wrote to memory of 688 2312 1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe MediaCenter.exe PID 2312 wrote to memory of 688 2312 1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe MediaCenter.exe PID 2312 wrote to memory of 688 2312 1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe MediaCenter.exe PID 2312 wrote to memory of 2012 2312 1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe cmd.exe PID 2312 wrote to memory of 2012 2312 1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe cmd.exe PID 2312 wrote to memory of 2012 2312 1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe cmd.exe PID 2012 wrote to memory of 32 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 32 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 32 2012 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe"C:\Users\Admin\AppData\Local\Temp\1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1862e75045542d1cb9015a957eebf2c7f12fd52a03a23735ee503bb4d1b162b7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:32
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
PID:3456
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:944
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f833f3d11ea8efbbf163dca8af1af84e
SHA1401ab44461415cf77e9b56d4b7a02de2d6724729
SHA2567807fc1bb6b7714b44dc565d5c1b9dc3fbcce3479994b2551febd7da17cde824
SHA51266870ad01d1358eb7ee6c2dc7e5f0a3eed30f456ac35c833a5efaa4d875189ccf287a3261dff9ea2aac940532b2f828a7f136b1a9d8ed28ebc44ca92f48b97a4
-
MD5
f833f3d11ea8efbbf163dca8af1af84e
SHA1401ab44461415cf77e9b56d4b7a02de2d6724729
SHA2567807fc1bb6b7714b44dc565d5c1b9dc3fbcce3479994b2551febd7da17cde824
SHA51266870ad01d1358eb7ee6c2dc7e5f0a3eed30f456ac35c833a5efaa4d875189ccf287a3261dff9ea2aac940532b2f828a7f136b1a9d8ed28ebc44ca92f48b97a4