Analysis
-
max time kernel
162s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 05:21
Static task
static1
Behavioral task
behavioral1
Sample
12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe
Resource
win10v2004-en-20220112
General
-
Target
12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe
-
Size
192KB
-
MD5
8172b21f9e2cf133b3f148aa7baaad05
-
SHA1
885d84285476ea895917034295a169e40f8057c5
-
SHA256
12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400
-
SHA512
d045036ac72cbfb1914e2378febccc3d6c892ad7706ea3d56d70773ad9388cf5646a2b9a77006a0b04c2022b46399f0c0c4de1c159eedcb527b3c571446f00fa
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1884 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892934540053556" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.326833" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4240" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.428563" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4136" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3392 12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe Token: SeBackupPrivilege 1128 TiWorker.exe Token: SeRestorePrivilege 1128 TiWorker.exe Token: SeSecurityPrivilege 1128 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.execmd.exedescription pid process target process PID 3392 wrote to memory of 1884 3392 12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe MediaCenter.exe PID 3392 wrote to memory of 1884 3392 12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe MediaCenter.exe PID 3392 wrote to memory of 1884 3392 12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe MediaCenter.exe PID 3392 wrote to memory of 1032 3392 12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe cmd.exe PID 3392 wrote to memory of 1032 3392 12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe cmd.exe PID 3392 wrote to memory of 1032 3392 12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe cmd.exe PID 1032 wrote to memory of 1988 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1988 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1988 1032 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe"C:\Users\Admin\AppData\Local\Temp\12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12f1a9463d80515ce41efe561b5b7042ec9fe518a8228c2886d1f5d20ad43400.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1988
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2980
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1768
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1128
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
40b83bbae341f3eb32b994940a2e5a61
SHA18f18adeff2a9282199a874c45b940d7e1892f617
SHA256640338f1ec2e67fd31ad54c4e8f6c42c348ad73ad3b7ce860dd5eee57a627953
SHA51299c33070bacedfa0a0393d88a1c3532cd19cea76bd188f6f76b64772a7915a6bf97879caae054f98e3b410cfdba1e69efc718e059998c57bae9644e57fc4930c
-
MD5
40b83bbae341f3eb32b994940a2e5a61
SHA18f18adeff2a9282199a874c45b940d7e1892f617
SHA256640338f1ec2e67fd31ad54c4e8f6c42c348ad73ad3b7ce860dd5eee57a627953
SHA51299c33070bacedfa0a0393d88a1c3532cd19cea76bd188f6f76b64772a7915a6bf97879caae054f98e3b410cfdba1e69efc718e059998c57bae9644e57fc4930c