Analysis
-
max time kernel
188s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:22
Static task
static1
Behavioral task
behavioral1
Sample
156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe
Resource
win10v2004-en-20220112
General
-
Target
156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe
-
Size
216KB
-
MD5
ecb2a06d0762f82c55769cb18327f240
-
SHA1
84d3928c5e00ce953025b1ecb2506c2e446c526b
-
SHA256
156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b
-
SHA512
f2e3e0e2eda203567d01d17db1cb144fbfee4b9ca9e1ce8c3aabbd008876767cd18a78ef7226c872a66b638abe524e087b6bffa57abfdb72026274e5bf3643c8
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3200-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1276 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4260" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892899502543270" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.112571" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.961548" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4044" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3200 156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe Token: SeBackupPrivilege 3324 TiWorker.exe Token: SeRestorePrivilege 3324 TiWorker.exe Token: SeSecurityPrivilege 3324 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.execmd.exedescription pid process target process PID 3200 wrote to memory of 1276 3200 156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe MediaCenter.exe PID 3200 wrote to memory of 1276 3200 156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe MediaCenter.exe PID 3200 wrote to memory of 1276 3200 156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe MediaCenter.exe PID 3200 wrote to memory of 3920 3200 156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe cmd.exe PID 3200 wrote to memory of 3920 3200 156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe cmd.exe PID 3200 wrote to memory of 3920 3200 156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe cmd.exe PID 3920 wrote to memory of 1688 3920 cmd.exe PING.EXE PID 3920 wrote to memory of 1688 3920 cmd.exe PING.EXE PID 3920 wrote to memory of 1688 3920 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe"C:\Users\Admin\AppData\Local\Temp\156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\156c35ee9586dcde1040c6b5c5c71a30e39f776a73e1a99cabfb754b14494a3b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1688
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3936
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3520
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3324
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
62263c14048b10be91cab33600b5af81
SHA1cad8dff578493924e705ff2c2ec41b61a987c384
SHA2567acf99897863fc42b998188b4ee154db47e4c0f23c1b798acbb6fe47073ad01b
SHA51237739780d2a3194484b8bd0b8e9a15b5e4bdfcaaffe2fd50af5145bc058c2eea1dd73fdb0f710012e501e3ed4bbfe180d627e5605e96d525f7492daaec7a2cb9
-
MD5
62263c14048b10be91cab33600b5af81
SHA1cad8dff578493924e705ff2c2ec41b61a987c384
SHA2567acf99897863fc42b998188b4ee154db47e4c0f23c1b798acbb6fe47073ad01b
SHA51237739780d2a3194484b8bd0b8e9a15b5e4bdfcaaffe2fd50af5145bc058c2eea1dd73fdb0f710012e501e3ed4bbfe180d627e5605e96d525f7492daaec7a2cb9