Analysis
-
max time kernel
157s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:30
Static task
static1
Behavioral task
behavioral1
Sample
06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe
Resource
win10v2004-en-20220112
General
-
Target
06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe
-
Size
80KB
-
MD5
45decf862b314ee7eed53e2904a7cb32
-
SHA1
c62d4f02b5618d9b6cdf698c7114993427de1f90
-
SHA256
06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f
-
SHA512
bc5ca4603e139add62c0047c4bd6915ebcd32bd6be8909e282be2b75a3a8d08b7d1134e82b383ca202fd5a31c974233fbf72ac19b191bde526686f2787156a67
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4000 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4236" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "8.321005" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.619395" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893130525746272" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4120" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.852226" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1816 06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe Token: SeBackupPrivilege 2968 TiWorker.exe Token: SeRestorePrivilege 2968 TiWorker.exe Token: SeSecurityPrivilege 2968 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.execmd.exedescription pid process target process PID 1816 wrote to memory of 4000 1816 06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe MediaCenter.exe PID 1816 wrote to memory of 4000 1816 06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe MediaCenter.exe PID 1816 wrote to memory of 4000 1816 06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe MediaCenter.exe PID 1816 wrote to memory of 2332 1816 06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe cmd.exe PID 1816 wrote to memory of 2332 1816 06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe cmd.exe PID 1816 wrote to memory of 2332 1816 06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe cmd.exe PID 2332 wrote to memory of 2432 2332 cmd.exe PING.EXE PID 2332 wrote to memory of 2432 2332 cmd.exe PING.EXE PID 2332 wrote to memory of 2432 2332 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe"C:\Users\Admin\AppData\Local\Temp\06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06fe2785128d81f1b0fd477e90e43c21fe53006c018443a78195b71bf013010f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2432
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3964
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3412
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8952ec1c2830a0330bb302d75484b24f
SHA1a8360148a4c9c8a31cfd3a8c5eca6b5b3aaaf1f0
SHA2562892170f803115e663f6ae5f17bee9a477036e44f717c8f23292a97628a7cc53
SHA512e8a2d47a6de463cb82b755c163c1bb042725727bee43d5065ecf779551b9698ff9e7d355292b072211c62e5dd5a3b5f2322093bfd884f437f30c8e2812613b8c
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8952ec1c2830a0330bb302d75484b24f
SHA1a8360148a4c9c8a31cfd3a8c5eca6b5b3aaaf1f0
SHA2562892170f803115e663f6ae5f17bee9a477036e44f717c8f23292a97628a7cc53
SHA512e8a2d47a6de463cb82b755c163c1bb042725727bee43d5065ecf779551b9698ff9e7d355292b072211c62e5dd5a3b5f2322093bfd884f437f30c8e2812613b8c