Analysis
-
max time kernel
174s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:06
Static task
static1
Behavioral task
behavioral1
Sample
1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe
Resource
win10v2004-en-20220112
General
-
Target
1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe
-
Size
150KB
-
MD5
fdd7a04de79987d35a699b3a6bbd68c1
-
SHA1
b110ae8b155233cb019f86c7f7555b6669209b62
-
SHA256
1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6
-
SHA512
12b7c93e7d7e41f83f9312a9abdd45e4e57dd20119675fd8aca65263257c52658f89f2d07d6f2ef448f3fe8019710822fa6aba308086009d363cc28cdaf5b300
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3680 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4144" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4304" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.245101" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892889407907327" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.303643" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4268" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exedescription pid process Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeIncBasePriorityPrivilege 1804 1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe Token: SeBackupPrivilege 620 TiWorker.exe Token: SeRestorePrivilege 620 TiWorker.exe Token: SeSecurityPrivilege 620 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.execmd.exedescription pid process target process PID 1804 wrote to memory of 3680 1804 1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe MediaCenter.exe PID 1804 wrote to memory of 3680 1804 1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe MediaCenter.exe PID 1804 wrote to memory of 3680 1804 1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe MediaCenter.exe PID 1804 wrote to memory of 3976 1804 1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe cmd.exe PID 1804 wrote to memory of 3976 1804 1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe cmd.exe PID 1804 wrote to memory of 3976 1804 1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe cmd.exe PID 3976 wrote to memory of 332 3976 cmd.exe PING.EXE PID 3976 wrote to memory of 332 3976 cmd.exe PING.EXE PID 3976 wrote to memory of 332 3976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe"C:\Users\Admin\AppData\Local\Temp\1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1607b5975709659fad363ab0c13a6556308954dbc181ea92cc6e1bd6ed1c0bb6.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:332
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3384
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1948
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
163337c851c402ded57e90be712c1729
SHA17708e614d1a9ab80be32f47fbf7bc97887f60f51
SHA25614b0787562f23c08b7f79c11d22824806efe665ad23a919452cea2229ec874b0
SHA512751ba0e3165e49d9e7c0330d752640fa8ed76209c736df0de9886a33a377ffe882d67db9498f5b793fd9d1e2ec959b033f1ce527fb30a855ed8ad61a7897b937
-
MD5
163337c851c402ded57e90be712c1729
SHA17708e614d1a9ab80be32f47fbf7bc97887f60f51
SHA25614b0787562f23c08b7f79c11d22824806efe665ad23a919452cea2229ec874b0
SHA512751ba0e3165e49d9e7c0330d752640fa8ed76209c736df0de9886a33a377ffe882d67db9498f5b793fd9d1e2ec959b033f1ce527fb30a855ed8ad61a7897b937