Analysis
-
max time kernel
151s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 08:32
Static task
static1
Behavioral task
behavioral1
Sample
0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe
Resource
win10v2004-en-20220112
General
-
Target
0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe
-
Size
89KB
-
MD5
0e28f089c4b3a35f557b2451c7dfa51f
-
SHA1
ecd8b322635e4f05408085d7f987d1342c97f39a
-
SHA256
0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef
-
SHA512
deaea20b44d9be8f6d998691d686a5a885c728acfa2948b08599e3a31dcf24aab0ae14c093de5f8078bc6a27cce9f1bc91b25faec6f077061989f0b75758b5ef
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 452 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893049196653256" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.493272" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4200" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4080" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.442370" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exedescription pid process Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeIncBasePriorityPrivilege 3640 0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.execmd.exedescription pid process target process PID 3640 wrote to memory of 452 3640 0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe MediaCenter.exe PID 3640 wrote to memory of 452 3640 0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe MediaCenter.exe PID 3640 wrote to memory of 452 3640 0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe MediaCenter.exe PID 3640 wrote to memory of 1828 3640 0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe cmd.exe PID 3640 wrote to memory of 1828 3640 0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe cmd.exe PID 3640 wrote to memory of 1828 3640 0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe cmd.exe PID 1828 wrote to memory of 1904 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1904 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1904 1828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe"C:\Users\Admin\AppData\Local\Temp\0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1904
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:516
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8f51a6a4285edd13111e76227cccf059
SHA115b15591b741904d86176abdb79e16848df5943b
SHA256bedd34b1d2d1809a5b0056790c58b7fe63e631f906271bb155b994068577fc9c
SHA51244617abf435486be9975fd728759fe4d80251a79940e89059abaadbaeac04c2a60169c656783bd3eb517becf6ec14f8ef7c9c4f71b0bee2d36c46cc654002b8d
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8f51a6a4285edd13111e76227cccf059
SHA115b15591b741904d86176abdb79e16848df5943b
SHA256bedd34b1d2d1809a5b0056790c58b7fe63e631f906271bb155b994068577fc9c
SHA51244617abf435486be9975fd728759fe4d80251a79940e89059abaadbaeac04c2a60169c656783bd3eb517becf6ec14f8ef7c9c4f71b0bee2d36c46cc654002b8d