Analysis
-
max time kernel
160s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe
Resource
win10v2004-en-20220112
General
-
Target
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe
-
Size
89KB
-
MD5
3b1cd8d8e099dfad0e8df6ab23cfbc19
-
SHA1
3351275bc1b46615efa48f27682b83dafdb68318
-
SHA256
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373
-
SHA512
ab0d85f402cae97673fb95f660d92a287a1d5260004f1cc16d10e849d3d5b7de5c94d375049d97f7b6b3ff5f7301e30efa14c1f35f40c03b6f6739eef52c95bd
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2428 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "12.499800" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.508768" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4120" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.250270" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4020" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4316" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4320" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.019868" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893152172113318" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe Token: SeRestorePrivilege 1324 TiWorker.exe Token: SeSecurityPrivilege 1324 TiWorker.exe Token: SeBackupPrivilege 1324 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.execmd.exedescription pid process target process PID 3112 wrote to memory of 2428 3112 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe MediaCenter.exe PID 3112 wrote to memory of 2428 3112 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe MediaCenter.exe PID 3112 wrote to memory of 2428 3112 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe MediaCenter.exe PID 3112 wrote to memory of 3612 3112 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe cmd.exe PID 3112 wrote to memory of 3612 3112 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe cmd.exe PID 3112 wrote to memory of 3612 3112 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe cmd.exe PID 3612 wrote to memory of 1356 3612 cmd.exe PING.EXE PID 3612 wrote to memory of 1356 3612 cmd.exe PING.EXE PID 3612 wrote to memory of 1356 3612 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe"C:\Users\Admin\AppData\Local\Temp\054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1356
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3292
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3740
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1324
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5a5b39c9280235f27be2f303288b38c0
SHA1bd10b887e15a90b9e32b6f98ef1ccd5c3985a895
SHA256f2ee8b56bf979da033b8caa6c37dda2b4fd06edf77b8c4940539ec8b8829d242
SHA512cd7b8258d3c3a42e149d829966bcde88c527b6a02e7ef47d68911abeb560ca5d3c8e4a25be280ad6c3dfc5790ab4364b535431be8590ec9cb8e19c81a29b080a
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5a5b39c9280235f27be2f303288b38c0
SHA1bd10b887e15a90b9e32b6f98ef1ccd5c3985a895
SHA256f2ee8b56bf979da033b8caa6c37dda2b4fd06edf77b8c4940539ec8b8829d242
SHA512cd7b8258d3c3a42e149d829966bcde88c527b6a02e7ef47d68911abeb560ca5d3c8e4a25be280ad6c3dfc5790ab4364b535431be8590ec9cb8e19c81a29b080a