Analysis
-
max time kernel
165s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 05:48
Static task
static1
Behavioral task
behavioral1
Sample
11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe
Resource
win10v2004-en-20220112
General
-
Target
11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe
-
Size
216KB
-
MD5
a65daee6c8559daee438135e3691dd5d
-
SHA1
122b40fbede11ec9e7e6aa6cc92c9646ac8d24fd
-
SHA256
11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b
-
SHA512
e619b06bb8a476e7f2b57f94a330ae7e9c24b8f4e4fa81ab8c82db9e55815fe45e5dae430dea9b3b84118121556bea2090648c0ba24012dd8eafd31c60c8e4ea
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2936-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1180-133-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1180 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "9.998004" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.693685" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892950051399227" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006630" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.097296" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4292" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4044" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4088" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exedescription pid process Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeIncBasePriorityPrivilege 2936 11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe Token: SeBackupPrivilege 3300 TiWorker.exe Token: SeRestorePrivilege 3300 TiWorker.exe Token: SeSecurityPrivilege 3300 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.execmd.exedescription pid process target process PID 2936 wrote to memory of 1180 2936 11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe MediaCenter.exe PID 2936 wrote to memory of 1180 2936 11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe MediaCenter.exe PID 2936 wrote to memory of 1180 2936 11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe MediaCenter.exe PID 2936 wrote to memory of 968 2936 11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe cmd.exe PID 2936 wrote to memory of 968 2936 11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe cmd.exe PID 2936 wrote to memory of 968 2936 11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe cmd.exe PID 968 wrote to memory of 496 968 cmd.exe PING.EXE PID 968 wrote to memory of 496 968 cmd.exe PING.EXE PID 968 wrote to memory of 496 968 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe"C:\Users\Admin\AppData\Local\Temp\11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11a1878dff5ef56ed5b1c2f534afac7dd7e60a2bd46f37f4e59440a9b04c396b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:496
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1256
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2260
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3300
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1cb2fff65d94aafe797c16c48017c7d6
SHA1ebef8e19d11ea7aa985a12acbf12fbabf3422060
SHA256ba6698c666fe5846ac7169d9e46aee7411c8a1b96b4e388108e234276e40fb8a
SHA512f86214a87ac1b77bd238e97962f190b8629450ccbeca2677fd8bc340a9700f470f769d84bf76179556f1530a5b4843a8743baa53fd8b9b44b53b0121d436227f
-
MD5
1cb2fff65d94aafe797c16c48017c7d6
SHA1ebef8e19d11ea7aa985a12acbf12fbabf3422060
SHA256ba6698c666fe5846ac7169d9e46aee7411c8a1b96b4e388108e234276e40fb8a
SHA512f86214a87ac1b77bd238e97962f190b8629450ccbeca2677fd8bc340a9700f470f769d84bf76179556f1530a5b4843a8743baa53fd8b9b44b53b0121d436227f