Analysis
-
max time kernel
155s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 06:15
Static task
static1
Behavioral task
behavioral1
Sample
107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe
Resource
win10v2004-en-20220112
General
-
Target
107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe
-
Size
80KB
-
MD5
70b8cb899cf21aee84514f52a7bb851b
-
SHA1
695486db53ebafbca2a49fe70e38dde64bb46174
-
SHA256
107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01
-
SHA512
9fb259fc60cc1edbac91201924c33499c945d93d5973477eb93d71a142a39ee6b47b25d4359646367c273b663424f5d19f9089c0bb352ea9f22d8bad02625997
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3588 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.225217" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4324" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892966799041459" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2516 107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.execmd.exedescription pid process target process PID 2516 wrote to memory of 3588 2516 107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe MediaCenter.exe PID 2516 wrote to memory of 3588 2516 107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe MediaCenter.exe PID 2516 wrote to memory of 3588 2516 107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe MediaCenter.exe PID 2516 wrote to memory of 544 2516 107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe cmd.exe PID 2516 wrote to memory of 544 2516 107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe cmd.exe PID 2516 wrote to memory of 544 2516 107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe cmd.exe PID 544 wrote to memory of 392 544 cmd.exe PING.EXE PID 544 wrote to memory of 392 544 cmd.exe PING.EXE PID 544 wrote to memory of 392 544 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe"C:\Users\Admin\AppData\Local\Temp\107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\107a78f3f73fdce6fe59f178abe85b291b5fc4f614d584b0dac3611aa5bb5d01.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:392
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3288
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2192
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c21b7033bfa9ee599390b68e299f3cf4
SHA102d24d892805f12be25452433285bf755749b7c6
SHA256ae85d5911ae2f9650e823553e91bb4085c9c8a618393f24e135373d9c26e5ea3
SHA512cb4bee8aead4b5cdf2226e30f61231e1728654b4c02a21727fd93802149603f80a6fbeb7a7accc4379dbc89beaea15276b7654e793c6f4d6d122f21ad80b4c79
-
MD5
c21b7033bfa9ee599390b68e299f3cf4
SHA102d24d892805f12be25452433285bf755749b7c6
SHA256ae85d5911ae2f9650e823553e91bb4085c9c8a618393f24e135373d9c26e5ea3
SHA512cb4bee8aead4b5cdf2226e30f61231e1728654b4c02a21727fd93802149603f80a6fbeb7a7accc4379dbc89beaea15276b7654e793c6f4d6d122f21ad80b4c79