Analysis
-
max time kernel
172s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 08:08
Static task
static1
Behavioral task
behavioral1
Sample
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe
Resource
win10v2004-en-20220112
General
-
Target
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe
-
Size
101KB
-
MD5
ca318c838cd1c3c6a2ddf3abc538b652
-
SHA1
13a91edaf4f5727c5f5fa4277b4041e7110bd8fa
-
SHA256
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd
-
SHA512
92ff016c800290cedca1cc2d0168520120d7277d357b37f9df07e3b73440ccaec9d11406286c99116c5cda6669d25a30cea118ea580685bebd6fac70e9a0fea9
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1704 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.256078" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893036271475487" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4136" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4316" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4332" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.143401" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2640 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.execmd.exedescription pid process target process PID 2640 wrote to memory of 1704 2640 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe MediaCenter.exe PID 2640 wrote to memory of 1704 2640 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe MediaCenter.exe PID 2640 wrote to memory of 1704 2640 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe MediaCenter.exe PID 2640 wrote to memory of 3648 2640 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe cmd.exe PID 2640 wrote to memory of 3648 2640 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe cmd.exe PID 2640 wrote to memory of 3648 2640 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe cmd.exe PID 3648 wrote to memory of 3832 3648 cmd.exe PING.EXE PID 3648 wrote to memory of 3832 3648 cmd.exe PING.EXE PID 3648 wrote to memory of 3832 3648 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe"C:\Users\Admin\AppData\Local\Temp\0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3832
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3316
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:212
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
461f3d0ef046f9b2d4c33b2132076171
SHA1c38119cf4c0af16eda45fead83de7a4fcd1bf63c
SHA256e0669f5788df0d580674f70ac1423d9f8eabde46610980bfb27ca3624e318024
SHA51246378710a09ab47b51ae26717b84c88b3e27ad37ed5597fca24d56340709401d8cbd4aca8709ce8f7729f9d9c5c6767c8cdc22c9aead8b093ad5c4b820660508
-
MD5
461f3d0ef046f9b2d4c33b2132076171
SHA1c38119cf4c0af16eda45fead83de7a4fcd1bf63c
SHA256e0669f5788df0d580674f70ac1423d9f8eabde46610980bfb27ca3624e318024
SHA51246378710a09ab47b51ae26717b84c88b3e27ad37ed5597fca24d56340709401d8cbd4aca8709ce8f7729f9d9c5c6767c8cdc22c9aead8b093ad5c4b820660508