Analysis
-
max time kernel
162s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 07:33
Static task
static1
Behavioral task
behavioral1
Sample
0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe
Resource
win10v2004-en-20220112
General
-
Target
0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe
-
Size
36KB
-
MD5
c01803fac4a2e68244efe17e7f4a11df
-
SHA1
f51e2a687257adc02fd00155726a6eccd119a599
-
SHA256
0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28
-
SHA512
38441fcda5f18fe1aa5bc92c28391906578ecd99ab43f33033224a731f8e9c8680e68d7f7e065dec4340d984d63c48375c866e669e9ae620ae2db5c23f72a954
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3752-133-0x0000000000360000-0x0000000000379000-memory.dmp family_sakula behavioral2/memory/2664-136-0x0000000000250000-0x0000000000269000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2664 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4312" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.353559" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.073871" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4208" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893014729929689" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.068921" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3752 0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.execmd.exedescription pid process target process PID 3752 wrote to memory of 2664 3752 0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe MediaCenter.exe PID 3752 wrote to memory of 2664 3752 0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe MediaCenter.exe PID 3752 wrote to memory of 2664 3752 0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe MediaCenter.exe PID 3752 wrote to memory of 640 3752 0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe cmd.exe PID 3752 wrote to memory of 640 3752 0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe cmd.exe PID 3752 wrote to memory of 640 3752 0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe cmd.exe PID 640 wrote to memory of 1888 640 cmd.exe PING.EXE PID 640 wrote to memory of 1888 640 cmd.exe PING.EXE PID 640 wrote to memory of 1888 640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe"C:\Users\Admin\AppData\Local\Temp\0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1888
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1880
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b6e3cb29dcb3f37c7e5ff0e4948f7105
SHA18a7c2c812f8c29243dc91c7d208d0a2b4ff33c88
SHA256d84c3ce619cebaf7177190451740da8c5d77c733bba0fb798f6c1fcd464ecded
SHA5126aa5fe8d37984bc7685ee22a4ca9f12a9dd1d39b82d25c16447f4177492c3bb1edf04d360c5179a59b80b2ef55d746f041f91e3b6c3b6703ed4e9b6e5af8008e
-
MD5
b6e3cb29dcb3f37c7e5ff0e4948f7105
SHA18a7c2c812f8c29243dc91c7d208d0a2b4ff33c88
SHA256d84c3ce619cebaf7177190451740da8c5d77c733bba0fb798f6c1fcd464ecded
SHA5126aa5fe8d37984bc7685ee22a4ca9f12a9dd1d39b82d25c16447f4177492c3bb1edf04d360c5179a59b80b2ef55d746f041f91e3b6c3b6703ed4e9b6e5af8008e