Analysis
-
max time kernel
161s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 08:25
Static task
static1
Behavioral task
behavioral1
Sample
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe
Resource
win10v2004-en-20220112
General
-
Target
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe
-
Size
99KB
-
MD5
e7855c7952c3b86a7feee870e616bdfe
-
SHA1
0fb98d2bbee7853d08b5a45b6d9d0952a885ee50
-
SHA256
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be
-
SHA512
8d0544496982fdfa8e0797a8414ab9b1e5fabb94d441eab058fe4cc12e871f2d3af02489dcf942f10d0df576a10e265fcd10a884b0e77971dcec17292d03fa87
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 528 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4136" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893045268399185" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4016" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.127659" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4336" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.015528" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.472208" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4340" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe Token: SeRestorePrivilege 1860 TiWorker.exe Token: SeSecurityPrivilege 1860 TiWorker.exe Token: SeBackupPrivilege 1860 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.execmd.exedescription pid process target process PID 3448 wrote to memory of 528 3448 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe MediaCenter.exe PID 3448 wrote to memory of 528 3448 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe MediaCenter.exe PID 3448 wrote to memory of 528 3448 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe MediaCenter.exe PID 3448 wrote to memory of 2064 3448 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe cmd.exe PID 3448 wrote to memory of 2064 3448 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe cmd.exe PID 3448 wrote to memory of 2064 3448 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe cmd.exe PID 2064 wrote to memory of 2224 2064 cmd.exe PING.EXE PID 2064 wrote to memory of 2224 2064 cmd.exe PING.EXE PID 2064 wrote to memory of 2224 2064 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe"C:\Users\Admin\AppData\Local\Temp\0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2224
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:364
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3652
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6018a28c3abd5581c9327f52dc46fe54
SHA1bdc3f7dd251b76cdf288451d784ecc32b671cbbf
SHA2561357627ca16b5a7154af241bd4fbb3d752ea076783e7d792d2574a3f463e398a
SHA5129c880af80fd5864945dbb0b0af2775f1fec904bdd8601623d3d0befc96472e3aa6c20aafd4511c1f6b879e85d17c6bc250b7c398e84a80fe260bc8ab26caa29d
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6018a28c3abd5581c9327f52dc46fe54
SHA1bdc3f7dd251b76cdf288451d784ecc32b671cbbf
SHA2561357627ca16b5a7154af241bd4fbb3d752ea076783e7d792d2574a3f463e398a
SHA5129c880af80fd5864945dbb0b0af2775f1fec904bdd8601623d3d0befc96472e3aa6c20aafd4511c1f6b879e85d17c6bc250b7c398e84a80fe260bc8ab26caa29d