Analysis
-
max time kernel
175s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 11:31
Static task
static1
Behavioral task
behavioral1
Sample
042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe
Resource
win10v2004-en-20220112
General
-
Target
042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe
-
Size
80KB
-
MD5
7feadbd8f648090e2c3cb1d63ef4ac8b
-
SHA1
3f5c7d7b2d4814a1156be57c74a3685bc7786bf7
-
SHA256
042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03
-
SHA512
06e0434efd8a9cac4e2a528ce600a66b8b43452b2180dfa552408f6178482c653ec0962ac6f5045a1f07f8066324dd616a4b9c34c3d9e17e7cbda904138dc3e2
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2848 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "11.109381" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.555842" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4068" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893156184737034" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4300" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.096512" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4316" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exedescription pid process Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeIncBasePriorityPrivilege 2340 042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.execmd.exedescription pid process target process PID 2340 wrote to memory of 2848 2340 042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe MediaCenter.exe PID 2340 wrote to memory of 2848 2340 042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe MediaCenter.exe PID 2340 wrote to memory of 2848 2340 042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe MediaCenter.exe PID 2340 wrote to memory of 1360 2340 042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe cmd.exe PID 2340 wrote to memory of 1360 2340 042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe cmd.exe PID 2340 wrote to memory of 1360 2340 042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe cmd.exe PID 1360 wrote to memory of 3584 1360 cmd.exe PING.EXE PID 1360 wrote to memory of 3584 1360 cmd.exe PING.EXE PID 1360 wrote to memory of 3584 1360 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe"C:\Users\Admin\AppData\Local\Temp\042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\042e4c07c8507b7c3d0804f2084125ceb78e43fdc53918d2eb801716a4e38f03.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3584
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1340
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2696
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3624
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
be947edda4f76072cd79fd734c857b58
SHA13e75299bef12183efa4925e375e52f3dbe73b914
SHA256b45d2faf4eb9de206ee60e70bde5b8640446107793a2c2609d0508166f7f5c45
SHA512b28e9287afe706049c2ea8c794bc36ceb6edc3edc8e9a91f0e09b7a864425f392e28edbeb46e374febdc1c2f29a4b7c96d0e02b98d92f16dec635a2da589941a
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
be947edda4f76072cd79fd734c857b58
SHA13e75299bef12183efa4925e375e52f3dbe73b914
SHA256b45d2faf4eb9de206ee60e70bde5b8640446107793a2c2609d0508166f7f5c45
SHA512b28e9287afe706049c2ea8c794bc36ceb6edc3edc8e9a91f0e09b7a864425f392e28edbeb46e374febdc1c2f29a4b7c96d0e02b98d92f16dec635a2da589941a