Analysis
-
max time kernel
186s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:26
Static task
static1
Behavioral task
behavioral1
Sample
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe
Resource
win10v2004-en-20220112
General
-
Target
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe
-
Size
92KB
-
MD5
87c2658bb8060bcc08f026bc42a3e534
-
SHA1
d07cc63b2ef637071d3270a0bd75fce14479a3c6
-
SHA256
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e
-
SHA512
7a0283aa9ac20f893cbd3d09244aac0e180b9345b15b36887f7abe30c8facf8c7335461ee9306d7d79f08e4583a9b45453eb5e1733cc26eefa15632685986d69
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2704 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe -
Drops file in Windows directory 2 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3868" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.151260" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4168" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4160" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.413226" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exedescription pid process Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeIncBasePriorityPrivilege 424 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe Token: SeBackupPrivilege 3636 TiWorker.exe Token: SeRestorePrivilege 3636 TiWorker.exe Token: SeSecurityPrivilege 3636 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.execmd.exedescription pid process target process PID 424 wrote to memory of 2704 424 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe MediaCenter.exe PID 424 wrote to memory of 2704 424 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe MediaCenter.exe PID 424 wrote to memory of 2704 424 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe MediaCenter.exe PID 424 wrote to memory of 916 424 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe cmd.exe PID 424 wrote to memory of 916 424 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe cmd.exe PID 424 wrote to memory of 916 424 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe cmd.exe PID 916 wrote to memory of 1040 916 cmd.exe PING.EXE PID 916 wrote to memory of 1040 916 cmd.exe PING.EXE PID 916 wrote to memory of 1040 916 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe"C:\Users\Admin\AppData\Local\Temp\154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1040
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 01⤵
- Checks processor information in registry
PID:3296
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
PID:856
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
552fc958d8f2b26a791c4efc92d9be3d
SHA1b7d58bd6ec3d0269b4d8850d6452d4a8d3d7f06f
SHA256559f2ad31c4018f32f95c80e5aad12bb325a259c7879426ba1174b02a7760cad
SHA51254c507ecfce184251eaad838eb26ab1dbdba7b27b6eab03c6ed96e895dbaf965afe53b5453806129a3269607eaba21b6566c5a4730872aea34d3ffc6963e4f85
-
MD5
552fc958d8f2b26a791c4efc92d9be3d
SHA1b7d58bd6ec3d0269b4d8850d6452d4a8d3d7f06f
SHA256559f2ad31c4018f32f95c80e5aad12bb325a259c7879426ba1174b02a7760cad
SHA51254c507ecfce184251eaad838eb26ab1dbdba7b27b6eab03c6ed96e895dbaf965afe53b5453806129a3269607eaba21b6566c5a4730872aea34d3ffc6963e4f85