Analysis
-
max time kernel
171s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:00
Static task
static1
Behavioral task
behavioral1
Sample
0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe
Resource
win10v2004-en-20220112
General
-
Target
0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe
-
Size
92KB
-
MD5
d6078cacd8e3d8e1d3eec4e0041eb931
-
SHA1
628abdc382c30217ffbf451cae03cc834164627d
-
SHA256
0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142
-
SHA512
fde2d6e19e12c373b70e8fb14806c484c67ec14427cc5f68875ab03aba836bf2aef0ba01c621ec49decbcd2ce465bee2fc4663e4582d2e71fcd55302263a78bf
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2444 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 48 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.793648" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4316" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893107406850141" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2628 0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe Token: SeBackupPrivilege 2984 TiWorker.exe Token: SeRestorePrivilege 2984 TiWorker.exe Token: SeSecurityPrivilege 2984 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.execmd.exedescription pid process target process PID 2628 wrote to memory of 2444 2628 0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe MediaCenter.exe PID 2628 wrote to memory of 2444 2628 0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe MediaCenter.exe PID 2628 wrote to memory of 2444 2628 0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe MediaCenter.exe PID 2628 wrote to memory of 4004 2628 0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe cmd.exe PID 2628 wrote to memory of 4004 2628 0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe cmd.exe PID 2628 wrote to memory of 4004 2628 0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe cmd.exe PID 4004 wrote to memory of 4052 4004 cmd.exe PING.EXE PID 4004 wrote to memory of 4052 4004 cmd.exe PING.EXE PID 4004 wrote to memory of 4052 4004 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe"C:\Users\Admin\AppData\Local\Temp\0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0871b20669a4cf675543101d7dcd4c7b64c08ffbd1602aada17856cdb6df8142.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4052
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2256
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
94186683499a6db7834a90cd72823624
SHA1bb7b77d5d75be7d02e5c78a8cf455b6dfca59afb
SHA256992a92a19a80a3bf083346fcec16292d44b029b9731f840f07af912886e630a5
SHA512e851da468ab598d972ec3e71f3c8e7cc6403e8d309868b388fff7353b5958165d68897368c648a73ec81ef1d2f0af0ded1ad6ea593535b332fb3ca132de8fcf4
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
94186683499a6db7834a90cd72823624
SHA1bb7b77d5d75be7d02e5c78a8cf455b6dfca59afb
SHA256992a92a19a80a3bf083346fcec16292d44b029b9731f840f07af912886e630a5
SHA512e851da468ab598d972ec3e71f3c8e7cc6403e8d309868b388fff7353b5958165d68897368c648a73ec81ef1d2f0af0ded1ad6ea593535b332fb3ca132de8fcf4