Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exe
Resource
win10v2004-en-20220112
General
-
Target
09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exe
-
Size
116KB
-
MD5
a0354d25afa96e96d644d0a7475293bb
-
SHA1
527be7be65e2276bd8bb1b09f7739d79742d642c
-
SHA256
09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3
-
SHA512
3a9a8fc73188d51258d535373362c4e0c9bfd81aea3d4e4f7cac3e055129768fd9302503296ad34692afd6b6746612d0b527745d7069913b180a76fead6b32ee
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4056-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1884-133-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1884 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 55 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893082149448114" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.878037" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3944" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.666180" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4296" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4092" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.251355" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.execmd.exedescription pid process target process PID 4056 wrote to memory of 1884 4056 09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exe MediaCenter.exe PID 4056 wrote to memory of 1884 4056 09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exe MediaCenter.exe PID 4056 wrote to memory of 1884 4056 09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exe MediaCenter.exe PID 4056 wrote to memory of 2572 4056 09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exe cmd.exe PID 4056 wrote to memory of 2572 4056 09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exe cmd.exe PID 4056 wrote to memory of 2572 4056 09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exe cmd.exe PID 2572 wrote to memory of 3244 2572 cmd.exe PING.EXE PID 2572 wrote to memory of 3244 2572 cmd.exe PING.EXE PID 2572 wrote to memory of 3244 2572 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exe"C:\Users\Admin\AppData\Local\Temp\09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09eede63d5a96ad6bb0e47aabf12488425834935657554b877c6ccf25bbbaab3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3244
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3976
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
956fdffb0df3f3bceb04c64eff915263
SHA1684ed58a538d09ce09ec16a8a0a9b3f1af441fc5
SHA256c258060d2b2e769d39337c9ff0f10b7b31aad7aa35e014279b7faf456476aba8
SHA512e5b9ebb74c4149454f0b4d7b49bb326cd6617ffdaefad1b4941cbd4d2838af27440d01fb3e5631e16de610716d783cbc18a3e3c575e071ee2e1c55b6344a7a7b
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
956fdffb0df3f3bceb04c64eff915263
SHA1684ed58a538d09ce09ec16a8a0a9b3f1af441fc5
SHA256c258060d2b2e769d39337c9ff0f10b7b31aad7aa35e014279b7faf456476aba8
SHA512e5b9ebb74c4149454f0b4d7b49bb326cd6617ffdaefad1b4941cbd4d2838af27440d01fb3e5631e16de610716d783cbc18a3e3c575e071ee2e1c55b6344a7a7b
-
memory/1884-133-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4056-132-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB