Analysis
-
max time kernel
156s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 08:14
Static task
static1
Behavioral task
behavioral1
Sample
0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe
Resource
win10v2004-en-20220112
General
-
Target
0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe
-
Size
101KB
-
MD5
a91f79db53e269f43dd5e5077928817d
-
SHA1
865f324ef5d232754f6585a261f608ab86c289e0
-
SHA256
0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2
-
SHA512
d9f781bd9adfdf3338891ead4f72803cd44b9515e7439357f8b80fc2aaf4d3985b4b27f64792d2163b2c783579727c2636e13387f492ee380ab51164b6866213
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3192 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe -
Drops file in Windows directory 2 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 48 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.143334" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.067386" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.012531" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4144" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3928" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4132" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.135777" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exedescription pid process Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeIncBasePriorityPrivilege 2464 0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.execmd.exedescription pid process target process PID 2464 wrote to memory of 3192 2464 0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe MediaCenter.exe PID 2464 wrote to memory of 3192 2464 0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe MediaCenter.exe PID 2464 wrote to memory of 3192 2464 0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe MediaCenter.exe PID 2464 wrote to memory of 3276 2464 0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe cmd.exe PID 2464 wrote to memory of 3276 2464 0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe cmd.exe PID 2464 wrote to memory of 3276 2464 0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe cmd.exe PID 3276 wrote to memory of 392 3276 cmd.exe PING.EXE PID 3276 wrote to memory of 392 3276 cmd.exe PING.EXE PID 3276 wrote to memory of 392 3276 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe"C:\Users\Admin\AppData\Local\Temp\0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b71b4f2d66f03ea06305f09f2cb2ee2150fcb1577a697fba30d8d3e74b25dd2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:392
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3884
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
PID:1204
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3564
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a74a935b1c92d16445fa2f4a42b4e13d
SHA1473b4a1a3fb86035c648230ffce2df3e1cc5af99
SHA256c2c4f8956a54d877ad3db80e088fa44d15dc76e12ff9286d6cd0be471dda7d26
SHA51228138f86d8b6e09d6142a75cd154b0fe270188240e0e5a7e340cc0963909324761778a55ffadf896ea77cb0f060ba38877cfb6ead12606271220c09288865bd1
-
MD5
a74a935b1c92d16445fa2f4a42b4e13d
SHA1473b4a1a3fb86035c648230ffce2df3e1cc5af99
SHA256c2c4f8956a54d877ad3db80e088fa44d15dc76e12ff9286d6cd0be471dda7d26
SHA51228138f86d8b6e09d6142a75cd154b0fe270188240e0e5a7e340cc0963909324761778a55ffadf896ea77cb0f060ba38877cfb6ead12606271220c09288865bd1