Analysis
-
max time kernel
171s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 05:27
Static task
static1
Behavioral task
behavioral1
Sample
12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe
Resource
win10v2004-en-20220112
General
-
Target
12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe
-
Size
80KB
-
MD5
3771253ee2a38f66628b2906e90ab92e
-
SHA1
59635f4c8e92789f8c3c8c7d14ce0498ebe89192
-
SHA256
12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d
-
SHA512
26f6eb244d7abb826611dc79177621c4a788639792929afa26c9ca85b5078e69a1a02aa373a30728fdb3d827049b47ecaf11d19eb1399afdf2a671068829cfef
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3984 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 54 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4276" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.555243" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4280" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892938541205627" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4104" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.257936" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2424 12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.execmd.exedescription pid process target process PID 2424 wrote to memory of 3984 2424 12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe MediaCenter.exe PID 2424 wrote to memory of 3984 2424 12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe MediaCenter.exe PID 2424 wrote to memory of 3984 2424 12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe MediaCenter.exe PID 2424 wrote to memory of 1228 2424 12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe cmd.exe PID 2424 wrote to memory of 1228 2424 12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe cmd.exe PID 2424 wrote to memory of 1228 2424 12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe cmd.exe PID 1228 wrote to memory of 3652 1228 cmd.exe PING.EXE PID 1228 wrote to memory of 3652 1228 cmd.exe PING.EXE PID 1228 wrote to memory of 3652 1228 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe"C:\Users\Admin\AppData\Local\Temp\12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12ad69d59716f55d90cee5e034092334078e3d58c1023a6cdce3a37d819cbc3d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3652
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:844
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2980
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3d248daca4a90e5369dc24d5515faf50
SHA18b2d210dfd3018f2a5ba349fb4337ae723b85403
SHA25655dd7ec2658ce05c8b6d8d5f7ad08b4ec6066f495345b3faaa1d4e750b80f63b
SHA512449bce09057808091c2ceb875c5c6c60a65042fd4fb281ce84cd38ed6cdbe17eeb0eac5ebe2c708f2ca3184cce931f40308844dd39b54a8d2d5c14d17588c152
-
MD5
3d248daca4a90e5369dc24d5515faf50
SHA18b2d210dfd3018f2a5ba349fb4337ae723b85403
SHA25655dd7ec2658ce05c8b6d8d5f7ad08b4ec6066f495345b3faaa1d4e750b80f63b
SHA512449bce09057808091c2ceb875c5c6c60a65042fd4fb281ce84cd38ed6cdbe17eeb0eac5ebe2c708f2ca3184cce931f40308844dd39b54a8d2d5c14d17588c152