Analysis
-
max time kernel
152s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:18
Static task
static1
Behavioral task
behavioral1
Sample
158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe
Resource
win10v2004-en-20220112
General
-
Target
158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe
-
Size
101KB
-
MD5
9999978cdf1a794bf468c7032494787f
-
SHA1
69d589d96b8ed1df23c0c38e3c05055eb7ad7b22
-
SHA256
158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7
-
SHA512
3b7bdbfc61b3cdc23c6b400b782588d6f9aff2c38d6b2b5c1e409ca116274ddf548784e150b9b81a905115ac59d52d030b0247586d272665e56e9ae41fdf4b12
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 216 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4136" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.194704" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892896977949843" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "14.270931" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.828718" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4352" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1508 158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe Token: SeBackupPrivilege 1604 TiWorker.exe Token: SeRestorePrivilege 1604 TiWorker.exe Token: SeSecurityPrivilege 1604 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.execmd.exedescription pid process target process PID 1508 wrote to memory of 216 1508 158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe MediaCenter.exe PID 1508 wrote to memory of 216 1508 158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe MediaCenter.exe PID 1508 wrote to memory of 216 1508 158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe MediaCenter.exe PID 1508 wrote to memory of 3752 1508 158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe cmd.exe PID 1508 wrote to memory of 3752 1508 158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe cmd.exe PID 1508 wrote to memory of 3752 1508 158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe cmd.exe PID 3752 wrote to memory of 2552 3752 cmd.exe PING.EXE PID 3752 wrote to memory of 2552 3752 cmd.exe PING.EXE PID 3752 wrote to memory of 2552 3752 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe"C:\Users\Admin\AppData\Local\Temp\158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\158860c47a4f673283fb165ca0bf8ec18a7a957734604f2b2a30304b69591ce7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2552
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3724
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1604
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fa86ea0502cf481298275c9dd20df463
SHA1200e656c9fabc353742cdf936f39e59154afc201
SHA2565ee5a2d701555c58854b4f558014e6c412447401ae4d8214a53fb67dfdcad6bf
SHA512610281704ebadb6ea48f81320e9626a5c5a28f6a53af6f9f86450e9d8e2421c9458d5e635239dc22b2cdaf2f4933cd87c3d45bb6a5b4e4d87a6cd6db1c56cfd3
-
MD5
fa86ea0502cf481298275c9dd20df463
SHA1200e656c9fabc353742cdf936f39e59154afc201
SHA2565ee5a2d701555c58854b4f558014e6c412447401ae4d8214a53fb67dfdcad6bf
SHA512610281704ebadb6ea48f81320e9626a5c5a28f6a53af6f9f86450e9d8e2421c9458d5e635239dc22b2cdaf2f4933cd87c3d45bb6a5b4e4d87a6cd6db1c56cfd3