Analysis
-
max time kernel
169s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:10
Static task
static1
Behavioral task
behavioral1
Sample
15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe
Resource
win10v2004-en-20220112
General
-
Target
15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe
-
Size
150KB
-
MD5
c4b9a7152e0d13ce95f1cab95d929810
-
SHA1
ea0b504be889b3b08ee6f041aaa50189b987b7e4
-
SHA256
15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c
-
SHA512
e5050468097a2cd2d61ce94f90a387241273210931fccb2d2463796948bfdf029b4e0e030d9e9a38acdf24e1f3ce62ea5eaf54d2ac2e2f79d578fa36546a1eec
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 932 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.180375" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.394739" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892891226369103" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4008" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4232" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.048900" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exedescription pid process Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeIncBasePriorityPrivilege 2116 15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe Token: SeBackupPrivilege 2504 TiWorker.exe Token: SeRestorePrivilege 2504 TiWorker.exe Token: SeSecurityPrivilege 2504 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.execmd.exedescription pid process target process PID 2116 wrote to memory of 932 2116 15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe MediaCenter.exe PID 2116 wrote to memory of 932 2116 15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe MediaCenter.exe PID 2116 wrote to memory of 932 2116 15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe MediaCenter.exe PID 2116 wrote to memory of 544 2116 15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe cmd.exe PID 2116 wrote to memory of 544 2116 15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe cmd.exe PID 2116 wrote to memory of 544 2116 15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe cmd.exe PID 544 wrote to memory of 2108 544 cmd.exe PING.EXE PID 544 wrote to memory of 2108 544 cmd.exe PING.EXE PID 544 wrote to memory of 2108 544 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe"C:\Users\Admin\AppData\Local\Temp\15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15e4ec3f213d152bc1d7e1b567f1105b7d7f37f6f449bfc73a5f2b19cdd09f2c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2108
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2648
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4a7dda95ff9966376eb6920ab5d01a2d
SHA1263f2a5d54bc0a150b38257c1717e3075970f068
SHA256bb9daa591fad75b56c706fc4af053a354b2538a80ed5e94798ae9e713c3616c0
SHA5123e9c58acf67f767f4b694fb86af642aa1e1122a17fe8c392a12c28d75d747af9dcead67a0f9396ed56411989c30da3a2274a3ca6ebefb0d78a420ab6e90803be
-
MD5
4a7dda95ff9966376eb6920ab5d01a2d
SHA1263f2a5d54bc0a150b38257c1717e3075970f068
SHA256bb9daa591fad75b56c706fc4af053a354b2538a80ed5e94798ae9e713c3616c0
SHA5123e9c58acf67f767f4b694fb86af642aa1e1122a17fe8c392a12c28d75d747af9dcead67a0f9396ed56411989c30da3a2274a3ca6ebefb0d78a420ab6e90803be