Analysis
-
max time kernel
165s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 06:29
Static task
static1
Behavioral task
behavioral1
Sample
0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe
Resource
win10v2004-en-20220112
General
-
Target
0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe
-
Size
80KB
-
MD5
80b0ba58ef46124002fb5584ef0a3b87
-
SHA1
7179a1fd51dc8cb634ed01087249883a2f890d9e
-
SHA256
0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269
-
SHA512
b87f6f630d1cdce8326ac7a5044c891ab0c934d65662d113d3033a2e91b68bd9c6e2d4339e131932fc717a1ad5ec53dbc0524607c682aed09011e65c5ee04b52
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2488 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.351197" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4068" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892974861007736" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.249313" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006615" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4372" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.054125" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4176" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exedescription pid process Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeIncBasePriorityPrivilege 1728 0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe Token: SeBackupPrivilege 2324 TiWorker.exe Token: SeRestorePrivilege 2324 TiWorker.exe Token: SeSecurityPrivilege 2324 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.execmd.exedescription pid process target process PID 1728 wrote to memory of 2488 1728 0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe MediaCenter.exe PID 1728 wrote to memory of 2488 1728 0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe MediaCenter.exe PID 1728 wrote to memory of 2488 1728 0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe MediaCenter.exe PID 1728 wrote to memory of 1516 1728 0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe cmd.exe PID 1728 wrote to memory of 1516 1728 0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe cmd.exe PID 1728 wrote to memory of 1516 1728 0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe cmd.exe PID 1516 wrote to memory of 1528 1516 cmd.exe PING.EXE PID 1516 wrote to memory of 1528 1516 cmd.exe PING.EXE PID 1516 wrote to memory of 1528 1516 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe"C:\Users\Admin\AppData\Local\Temp\0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fe1687c63b2744f08299f7fc3511b80d9bbcf161728ed04dd093fa1a6498269.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1528
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2024
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3780
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2324
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4ad6c91fdccea14d7b487daf8204861d
SHA133b8c433888074ef1c289902b4e1bd530871f6a6
SHA25655a4c1fd7913abaddb368167710c031298fc69b8ab04580aea2d2c66b40c68f8
SHA512c4efb49507b2b25e484079b23f14d5b592cacb86c37543c3dfd4906e039fb3c5ca70ca972051cf4ca14b6a0363aa5310cb3deca095bf9a1f562f191207a1da4f
-
MD5
4ad6c91fdccea14d7b487daf8204861d
SHA133b8c433888074ef1c289902b4e1bd530871f6a6
SHA25655a4c1fd7913abaddb368167710c031298fc69b8ab04580aea2d2c66b40c68f8
SHA512c4efb49507b2b25e484079b23f14d5b592cacb86c37543c3dfd4906e039fb3c5ca70ca972051cf4ca14b6a0363aa5310cb3deca095bf9a1f562f191207a1da4f