Analysis
-
max time kernel
170s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:24
Static task
static1
Behavioral task
behavioral1
Sample
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe
Resource
win10v2004-en-20220112
General
-
Target
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe
-
Size
216KB
-
MD5
5f70b4b2ec4e7e912361b1953e7ceee3
-
SHA1
9b3a5c74058347287b8d282af16309c7480ad317
-
SHA256
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023
-
SHA512
4e7f654449c5060a7c08a8a81d2144e41010b6135eb5760470b1e6ec8763ea87d967fff817060ae2b8bcf3dd5fa1dd81c62e1bd0c28718a416e4a887611f14b4
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3816-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3176 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe -
Drops file in Windows directory 2 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 19 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3816 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe Token: SeBackupPrivilege 364 TiWorker.exe Token: SeRestorePrivilege 364 TiWorker.exe Token: SeSecurityPrivilege 364 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.execmd.exedescription pid process target process PID 3816 wrote to memory of 3176 3816 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe MediaCenter.exe PID 3816 wrote to memory of 3176 3816 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe MediaCenter.exe PID 3816 wrote to memory of 3176 3816 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe MediaCenter.exe PID 3816 wrote to memory of 3780 3816 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe cmd.exe PID 3816 wrote to memory of 3780 3816 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe cmd.exe PID 3816 wrote to memory of 3780 3816 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe cmd.exe PID 3780 wrote to memory of 760 3780 cmd.exe PING.EXE PID 3780 wrote to memory of 760 3780 cmd.exe PING.EXE PID 3780 wrote to memory of 760 3780 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe"C:\Users\Admin\AppData\Local\Temp\1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:760
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1460
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
PID:2508
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
34b17791dfe3f6c0a2a6aaeb80f4242c
SHA194ff0844864afcd621cf34758bb8c7e811714e7f
SHA25641144e6e6f3fdc2e856a8fbcbce45760129f27ddbc45acb684f22658c9039a2a
SHA512a641ccc2632e873ae6f770e0e13c7c43e60e6ec6ec3d32f80dc70f2ace8d57de04f3ca07bf1c5dc07857445305461da2d543ac3a36de976505b1b9f8c4dffd0c
-
MD5
34b17791dfe3f6c0a2a6aaeb80f4242c
SHA194ff0844864afcd621cf34758bb8c7e811714e7f
SHA25641144e6e6f3fdc2e856a8fbcbce45760129f27ddbc45acb684f22658c9039a2a
SHA512a641ccc2632e873ae6f770e0e13c7c43e60e6ec6ec3d32f80dc70f2ace8d57de04f3ca07bf1c5dc07857445305461da2d543ac3a36de976505b1b9f8c4dffd0c