Analysis
-
max time kernel
181s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:25
Static task
static1
Behavioral task
behavioral1
Sample
17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe
Resource
win10v2004-en-20220112
General
-
Target
17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe
-
Size
191KB
-
MD5
1704673dd1fd7b76e8eb5189b04f884a
-
SHA1
6bd43df165665140300823c31d7097eadc24d746
-
SHA256
17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009
-
SHA512
d96ffbd978ac87ef872b9d85d9ccfec5c2a594a46d94dae1d855e0668142f213cbde35031029f9e76383eafce9b6a0b648f609f1a0d575b758e021cdb5516e44
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3856 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 56 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.845760" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4280" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892863927831386" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006602" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.624945" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3896" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "30.010756" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4244" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4092" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exedescription pid process Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeIncBasePriorityPrivilege 2064 17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe Token: SeBackupPrivilege 808 TiWorker.exe Token: SeRestorePrivilege 808 TiWorker.exe Token: SeSecurityPrivilege 808 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.execmd.exedescription pid process target process PID 2064 wrote to memory of 3856 2064 17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe MediaCenter.exe PID 2064 wrote to memory of 3856 2064 17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe MediaCenter.exe PID 2064 wrote to memory of 3856 2064 17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe MediaCenter.exe PID 2064 wrote to memory of 4048 2064 17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe cmd.exe PID 2064 wrote to memory of 4048 2064 17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe cmd.exe PID 2064 wrote to memory of 4048 2064 17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe cmd.exe PID 4048 wrote to memory of 3080 4048 cmd.exe PING.EXE PID 4048 wrote to memory of 3080 4048 cmd.exe PING.EXE PID 4048 wrote to memory of 3080 4048 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe"C:\Users\Admin\AppData\Local\Temp\17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17b416681edecf9b35c282a9e48deec9584f09c30ccad4f66f2b85489e1e6009.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3080
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1972
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3548
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bc5be966414217e0f9ddcebcfa99b4d7
SHA19a5374fb29fe492faf00441adcd5aac99f30f811
SHA25650a40673d74e7c02daf97170410171f1e985be2bc30fcdfe74bdf3508c95108f
SHA5123a75f241233a491b1768f3c8068a1bcd3389f45aedc190151164f83ebca837cd5c7d924bf2da2b301e2da0b25ec2187524a229f6eb04f2d3f65dc3d6a409a990
-
MD5
bc5be966414217e0f9ddcebcfa99b4d7
SHA19a5374fb29fe492faf00441adcd5aac99f30f811
SHA25650a40673d74e7c02daf97170410171f1e985be2bc30fcdfe74bdf3508c95108f
SHA5123a75f241233a491b1768f3c8068a1bcd3389f45aedc190151164f83ebca837cd5c7d924bf2da2b301e2da0b25ec2187524a229f6eb04f2d3f65dc3d6a409a990