Analysis
-
max time kernel
152s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 09:33
Static task
static1
Behavioral task
behavioral1
Sample
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe
Resource
win10v2004-en-20220112
General
-
Target
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe
-
Size
92KB
-
MD5
29e26e51b1c978c7366dcca103a09346
-
SHA1
b8bf38ac669889aefcbfb26866db9ddca5cb5e24
-
SHA256
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2
-
SHA512
edff47b10e78a18ec4742d52800a868efdfeef0c4d54a3da51ec5609052ae65f634bbaabbeb6de802a1f48ff9ce4911bb3566a0e304f19794d28d37c4d72fe82
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1728 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.102097" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893084777565048" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3972" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006602" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4104" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "10.713806" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4356" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe Token: SeRestorePrivilege 3156 TiWorker.exe Token: SeSecurityPrivilege 3156 TiWorker.exe Token: SeBackupPrivilege 3156 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.execmd.exedescription pid process target process PID 3344 wrote to memory of 1728 3344 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe MediaCenter.exe PID 3344 wrote to memory of 1728 3344 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe MediaCenter.exe PID 3344 wrote to memory of 1728 3344 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe MediaCenter.exe PID 3344 wrote to memory of 1824 3344 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe cmd.exe PID 3344 wrote to memory of 1824 3344 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe cmd.exe PID 3344 wrote to memory of 1824 3344 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe cmd.exe PID 1824 wrote to memory of 3932 1824 cmd.exe PING.EXE PID 1824 wrote to memory of 3932 1824 cmd.exe PING.EXE PID 1824 wrote to memory of 3932 1824 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe"C:\Users\Admin\AppData\Local\Temp\09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3932
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1472
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:364
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵PID:2484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ff02115b43a3c6ff15938aeaa52026f1
SHA197dfbd31bed6aad6f3ef654ae487ecae0ced6da5
SHA2562daa9aafa4cbb1f981804333cd61b873c1a6fb5f380d1452deaa63f0f3f7cd6f
SHA5122ddbd598cfe21e9cc45453f4f5e3221dee5d0137db3dabb6008df754ba3321d3f5920ea1b8765ce68ead2515bea399819787e19ae4061dedc57972d8ca62ce0b
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ff02115b43a3c6ff15938aeaa52026f1
SHA197dfbd31bed6aad6f3ef654ae487ecae0ced6da5
SHA2562daa9aafa4cbb1f981804333cd61b873c1a6fb5f380d1452deaa63f0f3f7cd6f
SHA5122ddbd598cfe21e9cc45453f4f5e3221dee5d0137db3dabb6008df754ba3321d3f5920ea1b8765ce68ead2515bea399819787e19ae4061dedc57972d8ca62ce0b