Analysis
-
max time kernel
160s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 08:22
Static task
static1
Behavioral task
behavioral1
Sample
0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe
Resource
win10v2004-en-20220112
General
-
Target
0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe
-
Size
192KB
-
MD5
3372507cc7d8254df74e1922a370bac6
-
SHA1
245a636b8158a19ad076b2d82fe3004b12831eb1
-
SHA256
0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381
-
SHA512
51ee224c0aefa09d024122362094cf134f9f29c0477bccf8f31c2e03b6ad691aa6f275f38f6d4703c0c1ef87bf4cee03dc81b43fdafe8f28731db72ee3b76042
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3080 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 53 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.018228" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.303376" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893043437396508" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4136" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4368" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3024 0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe Token: SeBackupPrivilege 4008 TiWorker.exe Token: SeRestorePrivilege 4008 TiWorker.exe Token: SeSecurityPrivilege 4008 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.execmd.exedescription pid process target process PID 3024 wrote to memory of 3080 3024 0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe MediaCenter.exe PID 3024 wrote to memory of 3080 3024 0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe MediaCenter.exe PID 3024 wrote to memory of 3080 3024 0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe MediaCenter.exe PID 3024 wrote to memory of 632 3024 0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe cmd.exe PID 3024 wrote to memory of 632 3024 0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe cmd.exe PID 3024 wrote to memory of 632 3024 0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe cmd.exe PID 632 wrote to memory of 2112 632 cmd.exe PING.EXE PID 632 wrote to memory of 2112 632 cmd.exe PING.EXE PID 632 wrote to memory of 2112 632 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe"C:\Users\Admin\AppData\Local\Temp\0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b37108485ec71a10106f976b7ef5ffeb3e34e28faaed0faf070d391790fa381.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2112
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:4024
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1328
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ab4a635ec3a97cb0fa275f75416ed577
SHA16efca85f5675572fef9d9437df6f3f652afa3c7c
SHA2561dcbc11555bf693563859384e59e26d8d258a04a65502c15d1102ae0d512f482
SHA5129a90b59601b6fe52e1cc5b6eb5d877f6a3d7f75591fca36731da863bd73e20c708d670723e36b2829386fe257c1256193ee5ba65e5a7a6e9ad75604aed3c4202
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ab4a635ec3a97cb0fa275f75416ed577
SHA16efca85f5675572fef9d9437df6f3f652afa3c7c
SHA2561dcbc11555bf693563859384e59e26d8d258a04a65502c15d1102ae0d512f482
SHA5129a90b59601b6fe52e1cc5b6eb5d877f6a3d7f75591fca36731da863bd73e20c708d670723e36b2829386fe257c1256193ee5ba65e5a7a6e9ad75604aed3c4202