Analysis
-
max time kernel
165s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 05:34
Static task
static1
Behavioral task
behavioral1
Sample
125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe
Resource
win10v2004-en-20220112
General
-
Target
125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe
-
Size
176KB
-
MD5
60b6116568bbd2533157dc5a98bcccdc
-
SHA1
57a67cf4785b958594b88138144cf68c0b01d827
-
SHA256
125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f
-
SHA512
b9ebbc6a02f3af0f1a9c7e7f2aced50d5e7c80b639a16f5a39fa90ff7657506df67c1950601425f47359cf7684365722136348dceb05129a250a0860172de00c
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4072-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/3900-133-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3900 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892941522931784" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.149431" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.654962" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4224" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4072 125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe Token: SeBackupPrivilege 3268 TiWorker.exe Token: SeRestorePrivilege 3268 TiWorker.exe Token: SeSecurityPrivilege 3268 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.execmd.exedescription pid process target process PID 4072 wrote to memory of 3900 4072 125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe MediaCenter.exe PID 4072 wrote to memory of 3900 4072 125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe MediaCenter.exe PID 4072 wrote to memory of 3900 4072 125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe MediaCenter.exe PID 4072 wrote to memory of 448 4072 125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe cmd.exe PID 4072 wrote to memory of 448 4072 125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe cmd.exe PID 4072 wrote to memory of 448 4072 125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe cmd.exe PID 448 wrote to memory of 1880 448 cmd.exe PING.EXE PID 448 wrote to memory of 1880 448 cmd.exe PING.EXE PID 448 wrote to memory of 1880 448 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe"C:\Users\Admin\AppData\Local\Temp\125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\125c286ae99f2dda8188dafd5ba3ddd093c6c8f8f11a64c0e7b642fc85c7ee6f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1880
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3672
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:844
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b086398065d6c218a5f83496e368b02c
SHA1bde5d3338689e930be7485dbf1cc798ed6da2a63
SHA2568fdc53efc79d78aedb486a0e81541a5ad5c309b9f64899271215d67a43708acb
SHA5129c476eb2e8c17558e3f5fe08396ba780ff35529d5bd9b011d507cab4a2846263d5d46dab1b0f599e7e09ced655cdddd8ea76844b071350006d088af8631ae734
-
MD5
b086398065d6c218a5f83496e368b02c
SHA1bde5d3338689e930be7485dbf1cc798ed6da2a63
SHA2568fdc53efc79d78aedb486a0e81541a5ad5c309b9f64899271215d67a43708acb
SHA5129c476eb2e8c17558e3f5fe08396ba780ff35529d5bd9b011d507cab4a2846263d5d46dab1b0f599e7e09ced655cdddd8ea76844b071350006d088af8631ae734