Analysis
-
max time kernel
155s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:44
Static task
static1
Behavioral task
behavioral1
Sample
16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe
Resource
win10v2004-en-20220112
General
-
Target
16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe
-
Size
112KB
-
MD5
a4e759180c02a1543083d393f209e906
-
SHA1
618e5aa1dcbda1038176320acb47697c95da7cc6
-
SHA256
16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231
-
SHA512
ec59d6ebfcac4908bccaa42fba1d322aefc0de894f74a4cb7fda62d933915991986545c75eeb408df42d7c1b06f22f8f64622b336426e30f9056bc46c0477985
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3744-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1124 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.668448" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "37.502100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892875245193530" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.177179" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4276" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4088" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3744 16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe Token: SeBackupPrivilege 3028 TiWorker.exe Token: SeRestorePrivilege 3028 TiWorker.exe Token: SeSecurityPrivilege 3028 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.execmd.exedescription pid process target process PID 3744 wrote to memory of 1124 3744 16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe MediaCenter.exe PID 3744 wrote to memory of 1124 3744 16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe MediaCenter.exe PID 3744 wrote to memory of 1124 3744 16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe MediaCenter.exe PID 3744 wrote to memory of 2996 3744 16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe cmd.exe PID 3744 wrote to memory of 2996 3744 16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe cmd.exe PID 3744 wrote to memory of 2996 3744 16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe cmd.exe PID 2996 wrote to memory of 1940 2996 cmd.exe PING.EXE PID 2996 wrote to memory of 1940 2996 cmd.exe PING.EXE PID 2996 wrote to memory of 1940 2996 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe"C:\Users\Admin\AppData\Local\Temp\16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16e5bbba7cefdd09858f46cd3a7ccaa77b752bd3ae190e12c230bbb7d2f82231.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1940
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2088
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3164
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0a6bd9369e72f08dc747718c9d212d2e
SHA12c307887c0b9e416526981ba5ae17b3fb36b8d7a
SHA2562da530ecef01e90c6ebdbddb4a9c141ca88baf44e684726a0fff35f4f089b504
SHA512ace90759ade505255b04b7af398fef2adebacb87c979eb5d3b978ce7359af34ecfeec0975d7a914f1c0912b933614cbeed4cf97761f9b709cc0af8d5b6c0009e
-
MD5
0a6bd9369e72f08dc747718c9d212d2e
SHA12c307887c0b9e416526981ba5ae17b3fb36b8d7a
SHA2562da530ecef01e90c6ebdbddb4a9c141ca88baf44e684726a0fff35f4f089b504
SHA512ace90759ade505255b04b7af398fef2adebacb87c979eb5d3b978ce7359af34ecfeec0975d7a914f1c0912b933614cbeed4cf97761f9b709cc0af8d5b6c0009e