Analysis
-
max time kernel
168s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 05:56
Static task
static1
Behavioral task
behavioral1
Sample
114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe
Resource
win10v2004-en-20220112
General
-
Target
114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe
-
Size
104KB
-
MD5
48216b739a8684eca32713c2b6e409b7
-
SHA1
4b2b4bb76651c9a5195e1c3c5262768ca8551c3d
-
SHA256
114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82
-
SHA512
028f5082eff2bf10537b8c25e6b4513b65cc0438ed09695618aea08b328406783c4624f402bc0b80196c2ed9423d84d3b42eb8151e9e5441c80f3abc4f365dbc
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3300 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.279525" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4312" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4088" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.051282" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.785680" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892954886581528" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exedescription pid process Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeIncBasePriorityPrivilege 3248 114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe Token: SeBackupPrivilege 3644 TiWorker.exe Token: SeRestorePrivilege 3644 TiWorker.exe Token: SeSecurityPrivilege 3644 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.execmd.exedescription pid process target process PID 3248 wrote to memory of 3300 3248 114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe MediaCenter.exe PID 3248 wrote to memory of 3300 3248 114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe MediaCenter.exe PID 3248 wrote to memory of 3300 3248 114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe MediaCenter.exe PID 3248 wrote to memory of 3304 3248 114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe cmd.exe PID 3248 wrote to memory of 3304 3248 114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe cmd.exe PID 3248 wrote to memory of 3304 3248 114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe cmd.exe PID 3304 wrote to memory of 1836 3304 cmd.exe PING.EXE PID 3304 wrote to memory of 1836 3304 cmd.exe PING.EXE PID 3304 wrote to memory of 1836 3304 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe"C:\Users\Admin\AppData\Local\Temp\114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\114fabe3eda3611c007d79ddd114c5072259114aeea663be13e62a1488ed8b82.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1836
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 01⤵
- Checks processor information in registry
PID:2996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2192
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2a175318179dd0dc4c6e0eca324f8f8b
SHA1acce8410b20f1e8ddd982e44742ee85a2e2ef5ce
SHA256bda9e5e886b90446f70a7772e32ba70cf9f1ee84bb83f40ea627cc84b5434a6f
SHA5120e7fd7f0a90f199ff1c91dff03a1201fed3bf59b4b4ea2d27574ff71383f58639852da63511ccdc86e73d48ee5f2b63619cbf033a4a21404093a9da400b6e13e
-
MD5
2a175318179dd0dc4c6e0eca324f8f8b
SHA1acce8410b20f1e8ddd982e44742ee85a2e2ef5ce
SHA256bda9e5e886b90446f70a7772e32ba70cf9f1ee84bb83f40ea627cc84b5434a6f
SHA5120e7fd7f0a90f199ff1c91dff03a1201fed3bf59b4b4ea2d27574ff71383f58639852da63511ccdc86e73d48ee5f2b63619cbf033a4a21404093a9da400b6e13e