Analysis
-
max time kernel
159s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 07:58
Static task
static1
Behavioral task
behavioral1
Sample
0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe
Resource
win10v2004-en-20220112
General
-
Target
0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe
-
Size
176KB
-
MD5
32d3fce1821f3c951ac526f213359e43
-
SHA1
7cc1e36e1364688e3575386638cbd5f013a2d2ec
-
SHA256
0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895
-
SHA512
a3263845f1e4caa9840a7d4ebc9c618d77dd473d79c2235b2dbdfe3902f2878fc2189c81276d2115d77c9150602357a3d2095a19aebeac3bd0ae700250e6a374
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2564-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2984 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893029231002332" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4312" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.265798" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.544417" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2564 0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe Token: SeBackupPrivilege 1892 TiWorker.exe Token: SeRestorePrivilege 1892 TiWorker.exe Token: SeSecurityPrivilege 1892 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.execmd.exedescription pid process target process PID 2564 wrote to memory of 2984 2564 0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe MediaCenter.exe PID 2564 wrote to memory of 2984 2564 0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe MediaCenter.exe PID 2564 wrote to memory of 2984 2564 0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe MediaCenter.exe PID 2564 wrote to memory of 4016 2564 0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe cmd.exe PID 2564 wrote to memory of 4016 2564 0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe cmd.exe PID 2564 wrote to memory of 4016 2564 0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe cmd.exe PID 4016 wrote to memory of 700 4016 cmd.exe PING.EXE PID 4016 wrote to memory of 700 4016 cmd.exe PING.EXE PID 4016 wrote to memory of 700 4016 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe"C:\Users\Admin\AppData\Local\Temp\0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c1197490da468c830162e72771ad2afa35d77c4cfb80c8500b922ca54247895.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:700
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2896
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3448
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1892
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0a66b5431c75e815dcf723887ac396b5
SHA1b725d3cc2c47aff123c17115abc82807b55095c9
SHA25681a232702cfd7dfe6e4af66692f9fc5fd4435829d7574f704302515f6e202102
SHA5121ac88c2fd10f90595a2aa5007e84e01fe9f36200d859066de10fc1a056ec0d276256a2d4cee2ec467d95018007e52bac58eff0bf632ea5e66fa748cfaf080790
-
MD5
0a66b5431c75e815dcf723887ac396b5
SHA1b725d3cc2c47aff123c17115abc82807b55095c9
SHA25681a232702cfd7dfe6e4af66692f9fc5fd4435829d7574f704302515f6e202102
SHA5121ac88c2fd10f90595a2aa5007e84e01fe9f36200d859066de10fc1a056ec0d276256a2d4cee2ec467d95018007e52bac58eff0bf632ea5e66fa748cfaf080790