Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 09:28
Static task
static1
Behavioral task
behavioral1
Sample
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe
Resource
win10v2004-en-20220112
General
-
Target
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe
-
Size
101KB
-
MD5
f54dff0b267641bbdfa6875095a59098
-
SHA1
bd0111a35630b4aa27de5ecf2f7d7f8d5132a25c
-
SHA256
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1
-
SHA512
09b447dbd1f3564795d08312532fde482eb8a2b5b951fe17901dd0e9e228bb53300e3beffb69906f013d52fc7eb3ede439e3a79c54d405e1366eb2abdf0d4ec9
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3708 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.941159" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.356889" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006637" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4276" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "16.672429" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4044" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893081288709070" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4064" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe Token: SeRestorePrivilege 2556 TiWorker.exe Token: SeSecurityPrivilege 2556 TiWorker.exe Token: SeBackupPrivilege 2556 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.execmd.exedescription pid process target process PID 3584 wrote to memory of 3708 3584 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe MediaCenter.exe PID 3584 wrote to memory of 3708 3584 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe MediaCenter.exe PID 3584 wrote to memory of 3708 3584 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe MediaCenter.exe PID 3584 wrote to memory of 1612 3584 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe cmd.exe PID 3584 wrote to memory of 1612 3584 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe cmd.exe PID 3584 wrote to memory of 1612 3584 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe cmd.exe PID 1612 wrote to memory of 3232 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 3232 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 3232 1612 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe"C:\Users\Admin\AppData\Local\Temp\0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3232
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1840
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5dad7c7fd1ae050c54cca8304e360da1
SHA13d22f5465b76031a204b380b8b45a4b373619633
SHA2560bd97ffcdb7886c494849b1277e9e55edf4ec9685474e8cbb87f8e220247fafc
SHA51287c10bfcec8ffa72f061a4ceeded9318ffc0356fcd002d364ef8d30e2818448f9fce6e363a9905a0e82b0e6d0d52365eb0c94ffd698c56299a08c4d090a969f3
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5dad7c7fd1ae050c54cca8304e360da1
SHA13d22f5465b76031a204b380b8b45a4b373619633
SHA2560bd97ffcdb7886c494849b1277e9e55edf4ec9685474e8cbb87f8e220247fafc
SHA51287c10bfcec8ffa72f061a4ceeded9318ffc0356fcd002d364ef8d30e2818448f9fce6e363a9905a0e82b0e6d0d52365eb0c94ffd698c56299a08c4d090a969f3