Analysis
-
max time kernel
170s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:25
Static task
static1
Behavioral task
behavioral1
Sample
1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe
Resource
win10v2004-en-20220112
General
-
Target
1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe
-
Size
192KB
-
MD5
8eb31057468f171b2d790b4d6ae6a0bb
-
SHA1
70dfd26967331a420c323b3c7851b7175b1e4dbc
-
SHA256
1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7
-
SHA512
7650089551c0b7871234d6d4c42a95fc769489869796f0087ec050b9e3fa5c03102dd1bb9b3e6a7f8217214ab64a3e7641a7f9f367ff514a7b2f5ec9d0dae244
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1764 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.166663" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892900724223468" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4148" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4276" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.328922" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4268" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2144 1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.execmd.exedescription pid process target process PID 2144 wrote to memory of 1764 2144 1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe MediaCenter.exe PID 2144 wrote to memory of 1764 2144 1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe MediaCenter.exe PID 2144 wrote to memory of 1764 2144 1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe MediaCenter.exe PID 2144 wrote to memory of 4088 2144 1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe cmd.exe PID 2144 wrote to memory of 4088 2144 1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe cmd.exe PID 2144 wrote to memory of 4088 2144 1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe cmd.exe PID 4088 wrote to memory of 3228 4088 cmd.exe PING.EXE PID 4088 wrote to memory of 3228 4088 cmd.exe PING.EXE PID 4088 wrote to memory of 3228 4088 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe"C:\Users\Admin\AppData\Local\Temp\1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1553135a2f67d58eb7a2a6f9bc8cd0e5e1fdc7b0a0198b7ff0427da7017fd9d7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3228
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2116
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2256
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9b5b08e7f84c18c57a1c364b150df6c8
SHA17a16e7d28dbed8c46651ed36e040b11d63642c13
SHA256c0f4fff029e04e1452a30bd1f2542101947be496f8566ee3d6a25d838cdf81ed
SHA512b37fa9c714dfb8eb35943b9d4aa4d34f70893fa2a07e98299bf14b51e00fd4415b0fd81d33bc72f1d59402c93bc68d145c78f5ecd7962be23afc36986470c835
-
MD5
9b5b08e7f84c18c57a1c364b150df6c8
SHA17a16e7d28dbed8c46651ed36e040b11d63642c13
SHA256c0f4fff029e04e1452a30bd1f2542101947be496f8566ee3d6a25d838cdf81ed
SHA512b37fa9c714dfb8eb35943b9d4aa4d34f70893fa2a07e98299bf14b51e00fd4415b0fd81d33bc72f1d59402c93bc68d145c78f5ecd7962be23afc36986470c835