Analysis
-
max time kernel
166s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:20
Static task
static1
Behavioral task
behavioral1
Sample
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe
Resource
win10v2004-en-20220112
General
-
Target
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe
-
Size
101KB
-
MD5
bb43fe37869ddcbf937d2b7ee2a945d7
-
SHA1
921240a16e15dc94a840796a8b6ff1e4e4575184
-
SHA256
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6
-
SHA512
6d6a3c616cf2669d9d585bdda1d3b4a076c0d2722adb12a512a325479708c3bdfe01f0b1b490d4531b7d253b1eb955c8ad1dc4a0b563bd0432bcbb201454b97e
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2168 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 55 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4328" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893124577181803" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.251345" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3988" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "9.998997" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006595" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.861185" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exedescription pid process Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeBackupPrivilege 1884 TiWorker.exe Token: SeRestorePrivilege 1884 TiWorker.exe Token: SeSecurityPrivilege 1884 TiWorker.exe Token: SeIncBasePriorityPrivilege 1384 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.execmd.exedescription pid process target process PID 1384 wrote to memory of 2168 1384 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe MediaCenter.exe PID 1384 wrote to memory of 2168 1384 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe MediaCenter.exe PID 1384 wrote to memory of 2168 1384 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe MediaCenter.exe PID 1384 wrote to memory of 2784 1384 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe cmd.exe PID 1384 wrote to memory of 2784 1384 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe cmd.exe PID 1384 wrote to memory of 2784 1384 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe cmd.exe PID 2784 wrote to memory of 1484 2784 cmd.exe PING.EXE PID 2784 wrote to memory of 1484 2784 cmd.exe PING.EXE PID 2784 wrote to memory of 1484 2784 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe"C:\Users\Admin\AppData\Local\Temp\078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1484
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2120
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2424
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ff82fb1db3da6e8d69c85ccc7f1655d0
SHA1fd041fcb8b0b189d311ee112c6a946403ec9fc85
SHA256536a51602319b1dce864845ce83f8c292285e6b1f69d169d89e94471a02451ea
SHA512f08b35bccf87d21eff6d69b21e4a897fb7d1ec3303738e9c6c23a9a2ed3150576c288aab90ab128133b28ceb072335454ee8c5c21eec18dc9b970bd6692e11b7
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ff82fb1db3da6e8d69c85ccc7f1655d0
SHA1fd041fcb8b0b189d311ee112c6a946403ec9fc85
SHA256536a51602319b1dce864845ce83f8c292285e6b1f69d169d89e94471a02451ea
SHA512f08b35bccf87d21eff6d69b21e4a897fb7d1ec3303738e9c6c23a9a2ed3150576c288aab90ab128133b28ceb072335454ee8c5c21eec18dc9b970bd6692e11b7