Analysis
-
max time kernel
160s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:48
Static task
static1
Behavioral task
behavioral1
Sample
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe
Resource
win10v2004-en-20220112
General
-
Target
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe
-
Size
150KB
-
MD5
174b5a3d3fc62bc9c51aa9676ec22bf8
-
SHA1
ccf17924d38e78374028d7a4584e00cf8da213ba
-
SHA256
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e
-
SHA512
c78022dac820f7c809c3e3e346281682654b148bec327a58e0cdaa463322ecc1d79b75504676891097563f36e6dabe427575325365c67f45669a88308180496d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3804 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.000044" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4124" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892877839558821" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4052" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.100929" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.248810" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4344" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe Token: SeRestorePrivilege 376 TiWorker.exe Token: SeSecurityPrivilege 376 TiWorker.exe Token: SeBackupPrivilege 376 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.execmd.exedescription pid process target process PID 3952 wrote to memory of 3804 3952 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe MediaCenter.exe PID 3952 wrote to memory of 3804 3952 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe MediaCenter.exe PID 3952 wrote to memory of 3804 3952 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe MediaCenter.exe PID 3952 wrote to memory of 3052 3952 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe cmd.exe PID 3952 wrote to memory of 3052 3952 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe cmd.exe PID 3952 wrote to memory of 3052 3952 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe cmd.exe PID 3052 wrote to memory of 4020 3052 cmd.exe PING.EXE PID 3052 wrote to memory of 4020 3052 cmd.exe PING.EXE PID 3052 wrote to memory of 4020 3052 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe"C:\Users\Admin\AppData\Local\Temp\16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4020
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3876
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2060
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:376
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
88ff360795fe7a6120d956e6579d51f8
SHA1d13f7354ccae8b6689460f45116e63fd394a36a5
SHA2560d78c06d0832453f50cff7e7da3dcac1cdb7096bd486a36d5f0d3f229c94636d
SHA512a545accec0576f714f476a5dceba738086083c084655493c612545cc53cbf04a8e579db8d4ff0ea5d222698a98efa986995648720e1c50e5ecaa6aab49bffadb
-
MD5
88ff360795fe7a6120d956e6579d51f8
SHA1d13f7354ccae8b6689460f45116e63fd394a36a5
SHA2560d78c06d0832453f50cff7e7da3dcac1cdb7096bd486a36d5f0d3f229c94636d
SHA512a545accec0576f714f476a5dceba738086083c084655493c612545cc53cbf04a8e579db8d4ff0ea5d222698a98efa986995648720e1c50e5ecaa6aab49bffadb