Analysis
-
max time kernel
159s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:58
Static task
static1
Behavioral task
behavioral1
Sample
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe
Resource
win10v2004-en-20220112
General
-
Target
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe
-
Size
99KB
-
MD5
282e691dbddb8724cacb290909da4b24
-
SHA1
8d8e303778b6a9210fa10a18b35237b32754086a
-
SHA256
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3
-
SHA512
ae084f85fbb73746792e67244e431cf6308544ea460eb748e789d8b614586fe3d512a770f2cac1bcf413fb61528d22d8d4f22386597d006f2cc4900540242b28
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2484 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.222226" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4328" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893146110263249" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.071124" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.816800" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4088" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exedescription pid process Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeIncBasePriorityPrivilege 3524 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe Token: SeBackupPrivilege 872 TiWorker.exe Token: SeRestorePrivilege 872 TiWorker.exe Token: SeSecurityPrivilege 872 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.execmd.exedescription pid process target process PID 3524 wrote to memory of 2484 3524 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe MediaCenter.exe PID 3524 wrote to memory of 2484 3524 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe MediaCenter.exe PID 3524 wrote to memory of 2484 3524 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe MediaCenter.exe PID 3524 wrote to memory of 2540 3524 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe cmd.exe PID 3524 wrote to memory of 2540 3524 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe cmd.exe PID 3524 wrote to memory of 2540 3524 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe cmd.exe PID 2540 wrote to memory of 776 2540 cmd.exe PING.EXE PID 2540 wrote to memory of 776 2540 cmd.exe PING.EXE PID 2540 wrote to memory of 776 2540 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe"C:\Users\Admin\AppData\Local\Temp\05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:776
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2824
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1764
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0f888b480846f408526fd6d6aed37493
SHA1caf9ee77b67cc4ef80b3f194f3964569568c16ba
SHA25658bd9e011ef9013775c595454440e660dc4bc83f371bfe6855db779fbaa91f16
SHA512d77ab1f7b25f3417441bb184331245a32c66778ddfd96cc65b2f36d9dcc82c74648999269ae2c4e88ef70a9b3a07dab536fbff92a24b20a11a88446519f4a0d3
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0f888b480846f408526fd6d6aed37493
SHA1caf9ee77b67cc4ef80b3f194f3964569568c16ba
SHA25658bd9e011ef9013775c595454440e660dc4bc83f371bfe6855db779fbaa91f16
SHA512d77ab1f7b25f3417441bb184331245a32c66778ddfd96cc65b2f36d9dcc82c74648999269ae2c4e88ef70a9b3a07dab536fbff92a24b20a11a88446519f4a0d3