Analysis
-
max time kernel
171s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 07:53
Static task
static1
Behavioral task
behavioral1
Sample
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe
Resource
win10v2004-en-20220112
General
-
Target
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe
-
Size
92KB
-
MD5
cb6e65e37366e138f8b5087cb756eaa6
-
SHA1
4544ba23005f87c87579bee692ba0432386b1465
-
SHA256
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44
-
SHA512
08045a87c996948885d0684233fdc4834dcf3ac43da8f9aeddf2d2eb5b729a07893646663d5e3b3a206a3852dd06cf9bb8b16a775f41030441c483a15775554a
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2604 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893026743072847" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4292" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4092" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "24.985608" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "9.376804" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.631571" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exedescription pid process Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeIncBasePriorityPrivilege 3704 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.execmd.exedescription pid process target process PID 3704 wrote to memory of 2604 3704 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe MediaCenter.exe PID 3704 wrote to memory of 2604 3704 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe MediaCenter.exe PID 3704 wrote to memory of 2604 3704 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe MediaCenter.exe PID 3704 wrote to memory of 2316 3704 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe cmd.exe PID 3704 wrote to memory of 2316 3704 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe cmd.exe PID 3704 wrote to memory of 2316 3704 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe cmd.exe PID 2316 wrote to memory of 3036 2316 cmd.exe PING.EXE PID 2316 wrote to memory of 3036 2316 cmd.exe PING.EXE PID 2316 wrote to memory of 3036 2316 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe"C:\Users\Admin\AppData\Local\Temp\0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4064
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4b0acf503bc4ab34e4585f512da1b67c
SHA12cdfae094f2487c75de6873d873b56d83b3352ac
SHA256d17f8aeaa3c68bfe3859839bfcedcdc5b74b513756fd7ff821d42295466e2e70
SHA5121d6680841e22030ff2a5277d7a0a7b67182ec55787b90ed417a41b0022641a81c00ff9ebc7b7e2a14995e6677c92e3f2a595d5f67372b14d2c5217d0a6efe863
-
MD5
4b0acf503bc4ab34e4585f512da1b67c
SHA12cdfae094f2487c75de6873d873b56d83b3352ac
SHA256d17f8aeaa3c68bfe3859839bfcedcdc5b74b513756fd7ff821d42295466e2e70
SHA5121d6680841e22030ff2a5277d7a0a7b67182ec55787b90ed417a41b0022641a81c00ff9ebc7b7e2a14995e6677c92e3f2a595d5f67372b14d2c5217d0a6efe863