Analysis
-
max time kernel
170s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 06:41
Static task
static1
Behavioral task
behavioral1
Sample
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe
Resource
win10v2004-en-20220112
General
-
Target
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe
-
Size
144KB
-
MD5
c89ebdecdac0d78e5469995cf1cda592
-
SHA1
6dd265bc54a27f82563b9eeecad15382df63382f
-
SHA256
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3
-
SHA512
b44847d81ede4d864b174c9b93a7167411c265d22618e78f9ea0e9d16011b2c768d48621d5b95033593fe194bc6f0b5dc3c8811080e70201a29b0fc953d4a3f0
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1800 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4120" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892982707112084" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.521575" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.846841" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4344" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1200 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe Token: SeBackupPrivilege 1328 TiWorker.exe Token: SeRestorePrivilege 1328 TiWorker.exe Token: SeSecurityPrivilege 1328 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.execmd.exedescription pid process target process PID 1200 wrote to memory of 1800 1200 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe MediaCenter.exe PID 1200 wrote to memory of 1800 1200 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe MediaCenter.exe PID 1200 wrote to memory of 1800 1200 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe MediaCenter.exe PID 1200 wrote to memory of 1148 1200 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe cmd.exe PID 1200 wrote to memory of 1148 1200 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe cmd.exe PID 1200 wrote to memory of 1148 1200 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe cmd.exe PID 1148 wrote to memory of 3388 1148 cmd.exe PING.EXE PID 1148 wrote to memory of 3388 1148 cmd.exe PING.EXE PID 1148 wrote to memory of 3388 1148 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe"C:\Users\Admin\AppData\Local\Temp\0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3388
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2952
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d16798e4f538ba86c8c6afa20fe59724
SHA1d13fb88855de6200d0aad759732c89f7a5cbd1eb
SHA2566b01de787ac7b430237d494a24a6a2d25e5a7bba7e09a9019cf8d570c386eaa7
SHA512958a32108f1dd10fb1410e75bc166375efab23707e8701d118679152bd7a461003242a15bea497df668425ac9a3a3e92e4a8dcb497a8b57ba6b21447209dd191
-
MD5
d16798e4f538ba86c8c6afa20fe59724
SHA1d13fb88855de6200d0aad759732c89f7a5cbd1eb
SHA2566b01de787ac7b430237d494a24a6a2d25e5a7bba7e09a9019cf8d570c386eaa7
SHA512958a32108f1dd10fb1410e75bc166375efab23707e8701d118679152bd7a461003242a15bea497df668425ac9a3a3e92e4a8dcb497a8b57ba6b21447209dd191