Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:09
Static task
static1
Behavioral task
behavioral1
Sample
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe
Resource
win10v2004-en-20220112
General
-
Target
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe
-
Size
150KB
-
MD5
05d607627a4e3fc8319cca5f701f7845
-
SHA1
e2045bce86efb57eb6c7918d15765ef5d653b671
-
SHA256
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c
-
SHA512
cc392aadbc88217c8af15449bfc1803cf58ec6e2ee9b5b6c22a38ad88a64c5af3a7fcfecbea410c31a243ec2dd9a91cb7a7f476747bc2d0216222e600b1a09d3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 532 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4080" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892854942937941" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.545241" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2908 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe Token: SeBackupPrivilege 2612 TiWorker.exe Token: SeRestorePrivilege 2612 TiWorker.exe Token: SeSecurityPrivilege 2612 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.execmd.exedescription pid process target process PID 2908 wrote to memory of 532 2908 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe MediaCenter.exe PID 2908 wrote to memory of 532 2908 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe MediaCenter.exe PID 2908 wrote to memory of 532 2908 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe MediaCenter.exe PID 2908 wrote to memory of 1136 2908 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe cmd.exe PID 2908 wrote to memory of 1136 2908 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe cmd.exe PID 2908 wrote to memory of 1136 2908 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe cmd.exe PID 1136 wrote to memory of 3992 1136 cmd.exe PING.EXE PID 1136 wrote to memory of 3992 1136 cmd.exe PING.EXE PID 1136 wrote to memory of 3992 1136 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe"C:\Users\Admin\AppData\Local\Temp\18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3992
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3896
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2612
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
13cdc060a390ff91177e50762cf72195
SHA11c7701e2baa0a5be241637ec213396b6f4747e20
SHA25627aeefc2a24eed3a53230e5f09843f1c5871aa7b081ae65c9749812e322e7c3a
SHA512cfac606ee4ad03751825b11db96f6ce508537d5015e88c35181594792028a93dedce538d7de057b2103e677f6632953948662167b96f8ceef09b28ec2f255dd8
-
MD5
13cdc060a390ff91177e50762cf72195
SHA11c7701e2baa0a5be241637ec213396b6f4747e20
SHA25627aeefc2a24eed3a53230e5f09843f1c5871aa7b081ae65c9749812e322e7c3a
SHA512cfac606ee4ad03751825b11db96f6ce508537d5015e88c35181594792028a93dedce538d7de057b2103e677f6632953948662167b96f8ceef09b28ec2f255dd8