Analysis
-
max time kernel
166s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:26
Static task
static1
Behavioral task
behavioral1
Sample
17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exe
Resource
win10v2004-en-20220112
General
-
Target
17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exe
-
Size
120KB
-
MD5
a5ca22aeb159c608b06d7e6be94fcb14
-
SHA1
386fe022503c9dd4713cf67bf6a64d308cca5106
-
SHA256
17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35
-
SHA512
3b2c6202cc4d474f2c6f00c993de6c2b1992f23efe539cbb7e3d5fe019efff0a8122f1716fb8369ac78bc2868f3155b1a3c45c5b1eb4e8007662b7fb3e42fdcf
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2564-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2660 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4172" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.311916" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "12.500780" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4112" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892864963863663" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.068097" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe Token: SeRestorePrivilege 3140 TiWorker.exe Token: SeSecurityPrivilege 3140 TiWorker.exe Token: SeBackupPrivilege 3140 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.execmd.exedescription pid process target process PID 2564 wrote to memory of 2660 2564 17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exe MediaCenter.exe PID 2564 wrote to memory of 2660 2564 17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exe MediaCenter.exe PID 2564 wrote to memory of 2660 2564 17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exe MediaCenter.exe PID 2564 wrote to memory of 3636 2564 17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exe cmd.exe PID 2564 wrote to memory of 3636 2564 17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exe cmd.exe PID 2564 wrote to memory of 3636 2564 17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exe cmd.exe PID 3636 wrote to memory of 3552 3636 cmd.exe PING.EXE PID 3636 wrote to memory of 3552 3636 cmd.exe PING.EXE PID 3636 wrote to memory of 3552 3636 cmd.exe PING.EXE
Processes
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2116
-
C:\Users\Admin\AppData\Local\Temp\17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exe"C:\Users\Admin\AppData\Local\Temp\17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17a09281cd4b347ab6d5fd64bcc7c253059f9fb1138d275fdfa16667ce9e9d35.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3552
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3028
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8fa0871cb47aa2cb9a4deb178e4b2592
SHA1ea623449ad9b586885a3edb22ce83db15775c122
SHA256a719a4ba1e4fc9bd121168e2160fad27796086336fdd4ab99e9fdf1de125a178
SHA5123e2577b1bc852852febb9f69c1e61fe9bfb58a614324973b39f8f28485b54093e26653bb66560363fed78a09a457a644a3ebb9330a8746018e6eb5c6060fc1e2
-
MD5
8fa0871cb47aa2cb9a4deb178e4b2592
SHA1ea623449ad9b586885a3edb22ce83db15775c122
SHA256a719a4ba1e4fc9bd121168e2160fad27796086336fdd4ab99e9fdf1de125a178
SHA5123e2577b1bc852852febb9f69c1e61fe9bfb58a614324973b39f8f28485b54093e26653bb66560363fed78a09a457a644a3ebb9330a8746018e6eb5c6060fc1e2