Analysis
-
max time kernel
161s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:44
Static task
static1
Behavioral task
behavioral1
Sample
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe
Resource
win10v2004-en-20220112
General
-
Target
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe
-
Size
216KB
-
MD5
0255235f956389bfe52a1234c4fe873a
-
SHA1
c2d76e4c77748738884d3cb619a71c3598fd4ac3
-
SHA256
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26
-
SHA512
a1e900ae3d7bd6f0763623924d078ccd9cee1d64519d25dd86b9e86895a45f2164eb9c58ac469c8cf371dba096effd8b8bc4bc892e6358192f6f61bed075dc9b
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1040-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 680 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.487233" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4324" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "9.999834" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893138027003454" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4340" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4132" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exedescription pid process Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeIncBasePriorityPrivilege 1040 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.execmd.exedescription pid process target process PID 1040 wrote to memory of 680 1040 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe MediaCenter.exe PID 1040 wrote to memory of 680 1040 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe MediaCenter.exe PID 1040 wrote to memory of 680 1040 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe MediaCenter.exe PID 1040 wrote to memory of 3172 1040 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe cmd.exe PID 1040 wrote to memory of 3172 1040 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe cmd.exe PID 1040 wrote to memory of 3172 1040 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe cmd.exe PID 3172 wrote to memory of 3684 3172 cmd.exe PING.EXE PID 3172 wrote to memory of 3684 3172 cmd.exe PING.EXE PID 3172 wrote to memory of 3684 3172 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe"C:\Users\Admin\AppData\Local\Temp\0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3684
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2120
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3976
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2ffa43052af20070ef75c35ead8fb2b7
SHA154beb067e3f0f54a51809eb33e60e12d3935844d
SHA2568c01dcc2442fb31ec5fb5713062340ee31668b6fe42a2782c1a53406c6619439
SHA512c5bd058bd6515bddb6d19838c98883ec2e621de4448ebd9600cccb66bba509e1fbbee56939a30b4665b513c4684874281d03f127a78619c968161e93ac089453
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2ffa43052af20070ef75c35ead8fb2b7
SHA154beb067e3f0f54a51809eb33e60e12d3935844d
SHA2568c01dcc2442fb31ec5fb5713062340ee31668b6fe42a2782c1a53406c6619439
SHA512c5bd058bd6515bddb6d19838c98883ec2e621de4448ebd9600cccb66bba509e1fbbee56939a30b4665b513c4684874281d03f127a78619c968161e93ac089453
-
memory/1040-132-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB