Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 09:13
Static task
static1
Behavioral task
behavioral1
Sample
0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe
Resource
win10v2004-en-20220112
General
-
Target
0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe
-
Size
80KB
-
MD5
98baadafbe61da01c9dc82ed48782e95
-
SHA1
cbe06eb1af4d69ec07a1ebbf7892fdb03b3aed11
-
SHA256
0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983
-
SHA512
0692b3256d2e433ce89ad40f38f3ef520205ce3839e2b08c88cc77cadcf3d4f025d6fa8a4171b8d768adc23294fe1d01a7252f5963c8c70e6a00febd5a8e4851
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2916 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.173764" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "8.729863" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4292" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4084" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893072680847799" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3932" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exedescription pid process Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeIncBasePriorityPrivilege 3904 0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.execmd.exedescription pid process target process PID 3904 wrote to memory of 2916 3904 0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe MediaCenter.exe PID 3904 wrote to memory of 2916 3904 0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe MediaCenter.exe PID 3904 wrote to memory of 2916 3904 0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe MediaCenter.exe PID 3904 wrote to memory of 3332 3904 0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe cmd.exe PID 3904 wrote to memory of 3332 3904 0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe cmd.exe PID 3904 wrote to memory of 3332 3904 0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe cmd.exe PID 3332 wrote to memory of 3872 3332 cmd.exe PING.EXE PID 3332 wrote to memory of 3872 3332 cmd.exe PING.EXE PID 3332 wrote to memory of 3872 3332 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe"C:\Users\Admin\AppData\Local\Temp\0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0aae9146e08d93f1c9e546050dbc1b3d9178192d3fdbd85bfecf9af7af6f8983.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3872
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3972
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5488d4444b90d7ae5c6b8b0bd899f672
SHA1b077dc1836cc72ecd5256dba3f6d3be7ddeafd57
SHA25647fb113f00633d93895ef9358d56b2ee0937bdb6d7dbcce8966dd8af04558bd3
SHA51200aafc3c49a7d7c85e8601712b2163a8687fd2f6e67c3311f78c5d5ef174f95226547c9b39057d97788b9a04b0ba56888cf8c1331cfbec188b7c176cf4b0576b
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5488d4444b90d7ae5c6b8b0bd899f672
SHA1b077dc1836cc72ecd5256dba3f6d3be7ddeafd57
SHA25647fb113f00633d93895ef9358d56b2ee0937bdb6d7dbcce8966dd8af04558bd3
SHA51200aafc3c49a7d7c85e8601712b2163a8687fd2f6e67c3311f78c5d5ef174f95226547c9b39057d97788b9a04b0ba56888cf8c1331cfbec188b7c176cf4b0576b