Analysis
-
max time kernel
167s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:28
Static task
static1
Behavioral task
behavioral1
Sample
178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe
Resource
win10v2004-en-20220112
General
-
Target
178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe
-
Size
188KB
-
MD5
a88f7e07aeaae86eb7c2139d029d031a
-
SHA1
be602420f2e1bb227e4d94b5afa8f7412fb92333
-
SHA256
178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f
-
SHA512
f680f90f640c016c3e4bcf12916bd45efe00daed54ad82c5ed1cff1f72a887dc9812251ec72ecc6bf3512c296109d07adacca10b3a1cf1b21ca66883267fb3b0
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1804-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/2472-133-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2472 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892866572418180" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.491800" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4112" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.498343" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4260" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1804 178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe Token: SeBackupPrivilege 332 TiWorker.exe Token: SeRestorePrivilege 332 TiWorker.exe Token: SeSecurityPrivilege 332 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.execmd.exedescription pid process target process PID 1804 wrote to memory of 2472 1804 178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe MediaCenter.exe PID 1804 wrote to memory of 2472 1804 178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe MediaCenter.exe PID 1804 wrote to memory of 2472 1804 178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe MediaCenter.exe PID 1804 wrote to memory of 3452 1804 178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe cmd.exe PID 1804 wrote to memory of 3452 1804 178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe cmd.exe PID 1804 wrote to memory of 3452 1804 178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe cmd.exe PID 3452 wrote to memory of 3108 3452 cmd.exe PING.EXE PID 3452 wrote to memory of 3108 3452 cmd.exe PING.EXE PID 3452 wrote to memory of 3108 3452 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe"C:\Users\Admin\AppData\Local\Temp\178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\178dbe7ff0034dc65f38d29050fe45cb46531d7b8f31cd58f8a50d62cd9c2c3f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3108
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:392
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ab084eeb5b5d7d1c9e7f7164c5b954dc
SHA1acdbba6f38e0ef61bd6911d3599e853fa431a5bc
SHA2560f824e7190bda1f23aee0a45af8db1b1e69e51209f47963cccd89c7302d523d9
SHA5120acdb44897a79b9ea3783c170e85fdf71010f8b059fcf0e3f9d9261b99476c4974869cb82284ddc18623d04e56949aede6135a1f503cb12688095561b591f249
-
MD5
ab084eeb5b5d7d1c9e7f7164c5b954dc
SHA1acdbba6f38e0ef61bd6911d3599e853fa431a5bc
SHA2560f824e7190bda1f23aee0a45af8db1b1e69e51209f47963cccd89c7302d523d9
SHA5120acdb44897a79b9ea3783c170e85fdf71010f8b059fcf0e3f9d9261b99476c4974869cb82284ddc18623d04e56949aede6135a1f503cb12688095561b591f249