Analysis
-
max time kernel
165s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:14
Static task
static1
Behavioral task
behavioral1
Sample
07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe
Resource
win10v2004-en-20220112
General
-
Target
07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe
-
Size
92KB
-
MD5
87475c079dea8c90c8f852b79f67fd0b
-
SHA1
9de7bf064fe83f7f9e646962aecb6a69ea4975e1
-
SHA256
07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167
-
SHA512
2e445c505ed682c5a8feea79f6b8697144b0dcb026a3206f3eee421dad2642179ad74b66a3c32fb49a7cc43f916120735d9215ea0726652d5c06fb521862dcf2
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2148 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.279074" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4076" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893121200597764" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "33.345711" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4292" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.122008" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exedescription pid process Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeIncBasePriorityPrivilege 3744 07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe Token: SeBackupPrivilege 2928 TiWorker.exe Token: SeRestorePrivilege 2928 TiWorker.exe Token: SeSecurityPrivilege 2928 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.execmd.exedescription pid process target process PID 3744 wrote to memory of 2148 3744 07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe MediaCenter.exe PID 3744 wrote to memory of 2148 3744 07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe MediaCenter.exe PID 3744 wrote to memory of 2148 3744 07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe MediaCenter.exe PID 3744 wrote to memory of 3456 3744 07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe cmd.exe PID 3744 wrote to memory of 3456 3744 07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe cmd.exe PID 3744 wrote to memory of 3456 3744 07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe cmd.exe PID 3456 wrote to memory of 3956 3456 cmd.exe PING.EXE PID 3456 wrote to memory of 3956 3456 cmd.exe PING.EXE PID 3456 wrote to memory of 3956 3456 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe"C:\Users\Admin\AppData\Local\Temp\07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07c8bc520d7ad838c071bb27dab9726a596aaa2569c9272e938285eed64f7167.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3956
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1212
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8e24d284aa22e295fdd71f21d7f69649
SHA1c306664e87cff4033f7f16b31b6b0ea339d11b74
SHA2565a7da311ca22f35151c01c5b2b3217bf263475424e084b767b76a7352d8ad0cf
SHA51215c7a834add66afa1f7b411c06b4fdf1916d3ba23a2c2b8172fefbc3d24ea15912d202c25f7d2f28c007c2ee136f1514cc850146b91eee3d2b65250342c1be89
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8e24d284aa22e295fdd71f21d7f69649
SHA1c306664e87cff4033f7f16b31b6b0ea339d11b74
SHA2565a7da311ca22f35151c01c5b2b3217bf263475424e084b767b76a7352d8ad0cf
SHA51215c7a834add66afa1f7b411c06b4fdf1916d3ba23a2c2b8172fefbc3d24ea15912d202c25f7d2f28c007c2ee136f1514cc850146b91eee3d2b65250342c1be89