Analysis
-
max time kernel
143s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 08:15
Static task
static1
Behavioral task
behavioral1
Sample
0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe
Resource
win10v2004-en-20220112
General
-
Target
0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe
-
Size
89KB
-
MD5
b378e38c9a5ff333187ae4979b09296c
-
SHA1
29ee4b18d4d9124795ae3b803f3251687ae75307
-
SHA256
0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe
-
SHA512
cf6fd071b2d90c2046d0465879a0a24fe83072fcc39add58dc789541adc550b4d464a2ced28abe2b15b93b388429096eda775a7bc0e12d28cc78e2920d8bacd9
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 656 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4200" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893039442840917" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.153257" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.100807" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.252366" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4092" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4196" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3772 0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe Token: SeBackupPrivilege 2964 TiWorker.exe Token: SeRestorePrivilege 2964 TiWorker.exe Token: SeSecurityPrivilege 2964 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.execmd.exedescription pid process target process PID 3772 wrote to memory of 656 3772 0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe MediaCenter.exe PID 3772 wrote to memory of 656 3772 0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe MediaCenter.exe PID 3772 wrote to memory of 656 3772 0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe MediaCenter.exe PID 3772 wrote to memory of 3900 3772 0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe cmd.exe PID 3772 wrote to memory of 3900 3772 0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe cmd.exe PID 3772 wrote to memory of 3900 3772 0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe cmd.exe PID 3900 wrote to memory of 2956 3900 cmd.exe PING.EXE PID 3900 wrote to memory of 2956 3900 cmd.exe PING.EXE PID 3900 wrote to memory of 2956 3900 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe"C:\Users\Admin\AppData\Local\Temp\0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b6ffa75db6a8515608b477dd71149cf05a09d7afd1f9a57a33de3bde8c61bbe.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2956
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3976
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1524
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ff525a4a9881ff06f88dd85e8d442392
SHA15c61f70600362036a308bc4c4e0ca032fbba60b9
SHA256dd2bb970fcd2ffb706ee4b2826635b0f7d991b6666993dde0c1b5b65dc0d74e9
SHA5127db738d6e46cf698f8ce17f1367c0ed10882064ec17eee9533d9857158df73a310e702f621113518c8e7c339bc6ac6bcc88d836327a7e776f29486277f97ed89
-
MD5
ff525a4a9881ff06f88dd85e8d442392
SHA15c61f70600362036a308bc4c4e0ca032fbba60b9
SHA256dd2bb970fcd2ffb706ee4b2826635b0f7d991b6666993dde0c1b5b65dc0d74e9
SHA5127db738d6e46cf698f8ce17f1367c0ed10882064ec17eee9533d9857158df73a310e702f621113518c8e7c339bc6ac6bcc88d836327a7e776f29486277f97ed89