Analysis
-
max time kernel
184s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:07
Static task
static1
Behavioral task
behavioral1
Sample
08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe
Resource
win10v2004-en-20220112
General
-
Target
08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe
-
Size
101KB
-
MD5
9a09bc1d11d333cc85485b97c0055815
-
SHA1
20916e415b607e2e21f8a2efaae19db4bb5b32d3
-
SHA256
08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12
-
SHA512
0936ddebc162e2c4d425af98f9233e0d94fa7dea08f646a6a36b9b3dcfc77adb78aec133bc0c45d32c677e71d9b2bcc9a4da89485947fd0f9f4aec1ce769d1f1
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2184 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.124972" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.769674" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4332" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "16.663752" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4132" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893113133382518" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1256 08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe Token: SeBackupPrivilege 1528 TiWorker.exe Token: SeRestorePrivilege 1528 TiWorker.exe Token: SeSecurityPrivilege 1528 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.execmd.exedescription pid process target process PID 1256 wrote to memory of 2184 1256 08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe MediaCenter.exe PID 1256 wrote to memory of 2184 1256 08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe MediaCenter.exe PID 1256 wrote to memory of 2184 1256 08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe MediaCenter.exe PID 1256 wrote to memory of 2952 1256 08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe cmd.exe PID 1256 wrote to memory of 2952 1256 08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe cmd.exe PID 1256 wrote to memory of 2952 1256 08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe cmd.exe PID 2952 wrote to memory of 3540 2952 cmd.exe PING.EXE PID 2952 wrote to memory of 3540 2952 cmd.exe PING.EXE PID 2952 wrote to memory of 3540 2952 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe"C:\Users\Admin\AppData\Local\Temp\08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08087d6e916dc79c665b494b2c9ba3f008147d17a73fb988b6443fe5a45dae12.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3540
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3272
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2740
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
92a61c1ea5570bc6922cc3162d56bf50
SHA192f97072e8e17bb16916ae2594460508d73e3b17
SHA256683cb99b7bb2f64ebd3b31189ae4f0824c2d7c1f07d4791a7054c4e915e732fe
SHA5128c7c9df2dbd072f3693f57480f527f67c2f1923f7129aab80428b3205850b2a146c2a9650ba14d54722886e4a8403f8ff910619f6cef60123374ed64c988c571
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
92a61c1ea5570bc6922cc3162d56bf50
SHA192f97072e8e17bb16916ae2594460508d73e3b17
SHA256683cb99b7bb2f64ebd3b31189ae4f0824c2d7c1f07d4791a7054c4e915e732fe
SHA5128c7c9df2dbd072f3693f57480f527f67c2f1923f7129aab80428b3205850b2a146c2a9650ba14d54722886e4a8403f8ff910619f6cef60123374ed64c988c571