Analysis
-
max time kernel
177s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 05:44
Static task
static1
Behavioral task
behavioral1
Sample
11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe
Resource
win10v2004-en-20220112
General
-
Target
11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe
-
Size
192KB
-
MD5
ba86df40294a8b168ac0db2c36456e21
-
SHA1
679a0f4bdcfdd5ae2c407defd72acae6e84bfccd
-
SHA256
11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573
-
SHA512
905853bb899e0730f3f55b345257fc0958a1beac89d4e28ae08d7ab9a582a9f2a9006f2137b47aaa39a2e567ec59a7f471f5b1474ffc9c6c8eaca46a99ed4a3b
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2840 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "12.501630" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.189826" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892947567739837" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.079109" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4124" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.008037" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4208" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3828" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exedescription pid process Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeIncBasePriorityPrivilege 312 11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe Token: SeBackupPrivilege 3404 TiWorker.exe Token: SeRestorePrivilege 3404 TiWorker.exe Token: SeSecurityPrivilege 3404 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.execmd.exedescription pid process target process PID 312 wrote to memory of 2840 312 11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe MediaCenter.exe PID 312 wrote to memory of 2840 312 11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe MediaCenter.exe PID 312 wrote to memory of 2840 312 11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe MediaCenter.exe PID 312 wrote to memory of 3460 312 11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe cmd.exe PID 312 wrote to memory of 3460 312 11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe cmd.exe PID 312 wrote to memory of 3460 312 11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe cmd.exe PID 3460 wrote to memory of 1800 3460 cmd.exe PING.EXE PID 3460 wrote to memory of 1800 3460 cmd.exe PING.EXE PID 3460 wrote to memory of 1800 3460 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe"C:\Users\Admin\AppData\Local\Temp\11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11d38eb09ef4332746e47989ae26e726b8fd8ac7e741df5aedbf7e27ed678573.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1800
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3936
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3404
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fcfa3035edd605edb495bc6225f9153a
SHA14e6cfb1ac4756a0d08c704a3f7820df3b32a5d4a
SHA256247ca40fdd2e7cea992240a2c79d8176afe6b5bf7f835ff844cd2fae55365835
SHA5129944c015bb9da5f9d658756f7daf28f1f5cda639919e95a8a333386b7c986d678f7e68e29f8d747cb950cfda6e42270a23b89382d4d07588b4de68824e658360
-
MD5
fcfa3035edd605edb495bc6225f9153a
SHA14e6cfb1ac4756a0d08c704a3f7820df3b32a5d4a
SHA256247ca40fdd2e7cea992240a2c79d8176afe6b5bf7f835ff844cd2fae55365835
SHA5129944c015bb9da5f9d658756f7daf28f1f5cda639919e95a8a333386b7c986d678f7e68e29f8d747cb950cfda6e42270a23b89382d4d07588b4de68824e658360