Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 07:27
Static task
static1
Behavioral task
behavioral1
Sample
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe
Resource
win10v2004-en-20220112
General
-
Target
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe
-
Size
101KB
-
MD5
68c5c401528ecb532b9927c66642b23b
-
SHA1
bff18fb138d0f2dbf946280d41a2906d0ab8abd2
-
SHA256
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842
-
SHA512
9d110ff5be4f24ef57c13020597f323c27f7245f263490435047035a2131549c64b45b45a51247369988d265125e995f240b7c8dd4be3568ab0e2a8251148042
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3284 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "12.503321" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4308" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006644" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.459846" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "8.331974" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3948" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893009151923260" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exedescription pid process Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeIncBasePriorityPrivilege 2168 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe Token: SeBackupPrivilege 4044 TiWorker.exe Token: SeRestorePrivilege 4044 TiWorker.exe Token: SeSecurityPrivilege 4044 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.execmd.exedescription pid process target process PID 2168 wrote to memory of 3284 2168 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe MediaCenter.exe PID 2168 wrote to memory of 3284 2168 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe MediaCenter.exe PID 2168 wrote to memory of 3284 2168 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe MediaCenter.exe PID 2168 wrote to memory of 1220 2168 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe cmd.exe PID 2168 wrote to memory of 1220 2168 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe cmd.exe PID 2168 wrote to memory of 1220 2168 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe cmd.exe PID 1220 wrote to memory of 1796 1220 cmd.exe PING.EXE PID 1220 wrote to memory of 1796 1220 cmd.exe PING.EXE PID 1220 wrote to memory of 1796 1220 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe"C:\Users\Admin\AppData\Local\Temp\0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1796
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1948
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1660
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0259a22ffc99b065e1255c344ea28f23
SHA18a78a55785c3dca9b8c236441966be975d1e0243
SHA2561a133b7e74726eb3db33c09d45973f738eb8913546d674b1864bd4677fda7cf5
SHA512899d0e360e135fe1e559b9e4df31a7374aad00188959661866108f4b9aedf37d0059be8636468b4ab70e416e13584d4a66c46e0c30bb4e64b91071c02d1df646
-
MD5
0259a22ffc99b065e1255c344ea28f23
SHA18a78a55785c3dca9b8c236441966be975d1e0243
SHA2561a133b7e74726eb3db33c09d45973f738eb8913546d674b1864bd4677fda7cf5
SHA512899d0e360e135fe1e559b9e4df31a7374aad00188959661866108f4b9aedf37d0059be8636468b4ab70e416e13584d4a66c46e0c30bb4e64b91071c02d1df646