Analysis
-
max time kernel
167s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:15
Static task
static1
Behavioral task
behavioral1
Sample
07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe
Resource
win10v2004-en-20220112
General
-
Target
07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe
-
Size
191KB
-
MD5
6a63d98b80ee586fca0b8f8e2d67eded
-
SHA1
2ef7af6611b849d461ee27d0f6aab088ebeaba4a
-
SHA256
07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342
-
SHA512
7519c02282e22e2f7d8cafb9c9ba5b5fc6799419000ab48bb8a99e7498ca9a7fa8138796320b5175e2f256c6f682eaf6759e2b08c58ef4dac7a11f41ecc7aa70
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3688 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893117618165797" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4388" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.040274" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.729713" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4160" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3840 07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe Token: SeBackupPrivilege 3712 TiWorker.exe Token: SeRestorePrivilege 3712 TiWorker.exe Token: SeSecurityPrivilege 3712 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.execmd.exedescription pid process target process PID 3840 wrote to memory of 3688 3840 07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe MediaCenter.exe PID 3840 wrote to memory of 3688 3840 07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe MediaCenter.exe PID 3840 wrote to memory of 3688 3840 07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe MediaCenter.exe PID 3840 wrote to memory of 2244 3840 07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe cmd.exe PID 3840 wrote to memory of 2244 3840 07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe cmd.exe PID 3840 wrote to memory of 2244 3840 07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe cmd.exe PID 2244 wrote to memory of 2544 2244 cmd.exe PING.EXE PID 2244 wrote to memory of 2544 2244 cmd.exe PING.EXE PID 2244 wrote to memory of 2544 2244 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe"C:\Users\Admin\AppData\Local\Temp\07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07b6e01c189142cd350018756480b2ba112b60ef933a3d5209bd465bd880f342.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2544
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2188
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:544
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f92f6dc8d9416d9e5cbc140053386593
SHA13c6fec79fe3d8e1e9c2b249240a74885aecf3114
SHA256e879fd4282262e217fad58d2a86be60a33f74345d1ebd5e45942e9d1a3a40fda
SHA512649effb9d17f9e4ad2529ba8d0b8cf0291dcf878e7317794547cc9b9f4e3118aa4c0dbb3e3c49d35072acdc3309ddc950682f7e673961363d104069a169c849f
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f92f6dc8d9416d9e5cbc140053386593
SHA13c6fec79fe3d8e1e9c2b249240a74885aecf3114
SHA256e879fd4282262e217fad58d2a86be60a33f74345d1ebd5e45942e9d1a3a40fda
SHA512649effb9d17f9e4ad2529ba8d0b8cf0291dcf878e7317794547cc9b9f4e3118aa4c0dbb3e3c49d35072acdc3309ddc950682f7e673961363d104069a169c849f