Analysis
-
max time kernel
162s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 02:50
Static task
static1
Behavioral task
behavioral1
Sample
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe
Resource
win10v2004-en-20220112
General
-
Target
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe
-
Size
92KB
-
MD5
d4710bcca88b1b2e6e0ce2f5c64fac1f
-
SHA1
417c47961b09344d12bdd8f68315e2e9026440f8
-
SHA256
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff
-
SHA512
4e6aa163188f9a5c09648c34585f425e1bf4901f4ea0e276ff7b8ce607ba6bdf06d9e258d93cff105f2d9dc4542bee576f8a80e6e9101e5e26fb2983fe6c6466
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3624 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.895747" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4324" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.794548" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892843162960847" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2296 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe Token: SeBackupPrivilege 1376 TiWorker.exe Token: SeRestorePrivilege 1376 TiWorker.exe Token: SeSecurityPrivilege 1376 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.execmd.exedescription pid process target process PID 2296 wrote to memory of 3624 2296 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe MediaCenter.exe PID 2296 wrote to memory of 3624 2296 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe MediaCenter.exe PID 2296 wrote to memory of 3624 2296 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe MediaCenter.exe PID 2296 wrote to memory of 2692 2296 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe cmd.exe PID 2296 wrote to memory of 2692 2296 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe cmd.exe PID 2296 wrote to memory of 2692 2296 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe cmd.exe PID 2692 wrote to memory of 2964 2692 cmd.exe PING.EXE PID 2692 wrote to memory of 2964 2692 cmd.exe PING.EXE PID 2692 wrote to memory of 2964 2692 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe"C:\Users\Admin\AppData\Local\Temp\1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2964
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1536
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:452
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1376
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
755d2cbef32d1cf1ace02ff612f85be7
SHA13c7fd963a6f76835bc0e9824a0c9b212697a4be1
SHA2562278284f1645e14b63c51b6d8d32f39217a5dfc2394903d931b15471d6530077
SHA5120349c5cfa041b8aa22d00c4dba9971129fb089bbc629f580805fa8416c3631d5f76aea763ad87c6b2bd32df9c1d08c9e6bc2078d4f6f6d5855b407a44eedf4b0
-
MD5
755d2cbef32d1cf1ace02ff612f85be7
SHA13c7fd963a6f76835bc0e9824a0c9b212697a4be1
SHA2562278284f1645e14b63c51b6d8d32f39217a5dfc2394903d931b15471d6530077
SHA5120349c5cfa041b8aa22d00c4dba9971129fb089bbc629f580805fa8416c3631d5f76aea763ad87c6b2bd32df9c1d08c9e6bc2078d4f6f6d5855b407a44eedf4b0