Analysis
-
max time kernel
163s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 05:31
Static task
static1
Behavioral task
behavioral1
Sample
127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe
Resource
win10v2004-en-20220112
General
-
Target
127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe
-
Size
192KB
-
MD5
8e1c5f5035cdca733ea2f1cf5d23292b
-
SHA1
ddc71a9ac59957d28f1526b3741f23c9cbd60f82
-
SHA256
127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4
-
SHA512
eb472ea2652048b2d6046c44b8b7f1c24e53ef4b7f18b1d075233532d27cad652b7b07f72e565a9ddf591447e5286f2106e1ff2d4fdf8baffb312b5f89ddc472
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 6140 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892939362217513" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.980158" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.166114" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4124" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4324" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1744 127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe Token: SeBackupPrivilege 6220 TiWorker.exe Token: SeRestorePrivilege 6220 TiWorker.exe Token: SeSecurityPrivilege 6220 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.execmd.exedescription pid process target process PID 1744 wrote to memory of 6140 1744 127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe MediaCenter.exe PID 1744 wrote to memory of 6140 1744 127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe MediaCenter.exe PID 1744 wrote to memory of 6140 1744 127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe MediaCenter.exe PID 1744 wrote to memory of 1900 1744 127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe cmd.exe PID 1744 wrote to memory of 1900 1744 127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe cmd.exe PID 1744 wrote to memory of 1900 1744 127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe cmd.exe PID 1900 wrote to memory of 2224 1900 cmd.exe PING.EXE PID 1900 wrote to memory of 2224 1900 cmd.exe PING.EXE PID 1900 wrote to memory of 2224 1900 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe"C:\Users\Admin\AppData\Local\Temp\127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:6140 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\127de618276f0ef30de0520afcfc8c1fba25d02cb54b1e996dcddd1f996d57e4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2224
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:528
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2040
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:6220
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
23a1a93f37c6c8b6b4dcc04b3c3431e3
SHA1d8db22247a327b85d4bc96071044318d7b3ba65c
SHA2562002da5edf51dca62f53315bb677448ae5f365cdce1971017009528b0ca0c293
SHA5127add0c505e6af6eda2f4c41a93cefb67479acf38df7ff6614627128bfd6ea76007daa8905f26db9a9efec900dfe721681b8df057965fbb56f2a483e4942e8337
-
MD5
23a1a93f37c6c8b6b4dcc04b3c3431e3
SHA1d8db22247a327b85d4bc96071044318d7b3ba65c
SHA2562002da5edf51dca62f53315bb677448ae5f365cdce1971017009528b0ca0c293
SHA5127add0c505e6af6eda2f4c41a93cefb67479acf38df7ff6614627128bfd6ea76007daa8905f26db9a9efec900dfe721681b8df057965fbb56f2a483e4942e8337