Analysis
-
max time kernel
159s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:15
Static task
static1
Behavioral task
behavioral1
Sample
15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe
Resource
win10v2004-en-20220112
General
-
Target
15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe
-
Size
79KB
-
MD5
eec9e14eff77b6a87dc459515cd54077
-
SHA1
774c5903c8846fc87fe2422a40c426a6f8ab528e
-
SHA256
15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036
-
SHA512
7ba24356aa0ecf917af8ad45754ff99cdc32a00ae47d768ca40c2f94aa6da1a7a829e5d5fd86b5964822e3a6dd902a0a2a098a9e48b422bb2fc5f70bb7b4756f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1800 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe -
Drops file in Windows directory 2 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4316" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4208" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4212" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.096712" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 648 15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe Token: SeBackupPrivilege 2764 TiWorker.exe Token: SeRestorePrivilege 2764 TiWorker.exe Token: SeSecurityPrivilege 2764 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.execmd.exedescription pid process target process PID 648 wrote to memory of 1800 648 15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe MediaCenter.exe PID 648 wrote to memory of 1800 648 15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe MediaCenter.exe PID 648 wrote to memory of 1800 648 15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe MediaCenter.exe PID 648 wrote to memory of 2564 648 15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe cmd.exe PID 648 wrote to memory of 2564 648 15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe cmd.exe PID 648 wrote to memory of 2564 648 15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe cmd.exe PID 2564 wrote to memory of 4072 2564 cmd.exe PING.EXE PID 2564 wrote to memory of 4072 2564 cmd.exe PING.EXE PID 2564 wrote to memory of 4072 2564 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe"C:\Users\Admin\AppData\Local\Temp\15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15af1eef06f2db43bb6f8db940de14ee452aa001dd7f5bd805e16e3496723036.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4072
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3084
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
PID:2428
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
204dbcb29e6e476e2d258541d101666b
SHA17dbe84e04410ec5cc7064bef87e927f04e4cc740
SHA2560b3105396d27c405ad70fd53119c3b40fbfeb942f5f85f8e053f89cb0c2612c3
SHA5126a179ed85dbbfa2040528e95f5383d94c033f18d17b581b39c28697d3c69ffbc1cbe6d358e3653250fea9b70797b80719da00deeccd86dae78fb5caf89bdcb6f
-
MD5
204dbcb29e6e476e2d258541d101666b
SHA17dbe84e04410ec5cc7064bef87e927f04e4cc740
SHA2560b3105396d27c405ad70fd53119c3b40fbfeb942f5f85f8e053f89cb0c2612c3
SHA5126a179ed85dbbfa2040528e95f5383d94c033f18d17b581b39c28697d3c69ffbc1cbe6d358e3653250fea9b70797b80719da00deeccd86dae78fb5caf89bdcb6f