Analysis
-
max time kernel
159s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 11:09
Static task
static1
Behavioral task
behavioral1
Sample
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe
Resource
win10v2004-en-20220112
General
-
Target
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe
-
Size
112KB
-
MD5
3fabeed2ebde29436fe1ec892a6a1cf7
-
SHA1
8247ede14dd40c44a98a992af13781de61ae380e
-
SHA256
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46
-
SHA512
ca1095e064c205844dcb26c53dfa8ebe49ae888da9c489f51077145dce8f1e7fce838c8e8798756feb8fa4bef87231e523835c3abc3355ec070d678fadf9ed6e
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/624-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/2584-133-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2584 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4140" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.033311" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.970275" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.118671" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893154377121357" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4324" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 624 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe Token: SeBackupPrivilege 2116 TiWorker.exe Token: SeRestorePrivilege 2116 TiWorker.exe Token: SeSecurityPrivilege 2116 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.execmd.exedescription pid process target process PID 624 wrote to memory of 2584 624 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe MediaCenter.exe PID 624 wrote to memory of 2584 624 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe MediaCenter.exe PID 624 wrote to memory of 2584 624 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe MediaCenter.exe PID 624 wrote to memory of 1620 624 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe cmd.exe PID 624 wrote to memory of 1620 624 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe cmd.exe PID 624 wrote to memory of 1620 624 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe cmd.exe PID 1620 wrote to memory of 3344 1620 cmd.exe PING.EXE PID 1620 wrote to memory of 3344 1620 cmd.exe PING.EXE PID 1620 wrote to memory of 3344 1620 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe"C:\Users\Admin\AppData\Local\Temp\052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3344
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2272
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2168
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f53658ad54ab2ac9be0ce81358e3dfaf
SHA1723cbeed23d3d5722c13f9199a0eec179bbe1064
SHA25616974f6e943356524a55daa43cca021e53f39902617c5cff47e7149ee421f8a1
SHA512dce8aa102fc36dabe5484919459ad75beb7675e0885d5912f90a0f8c842b95c3d06e27b675bac7bebff16f3692c627297c079e941cc6cd9552ad3fb7d9ab4987
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f53658ad54ab2ac9be0ce81358e3dfaf
SHA1723cbeed23d3d5722c13f9199a0eec179bbe1064
SHA25616974f6e943356524a55daa43cca021e53f39902617c5cff47e7149ee421f8a1
SHA512dce8aa102fc36dabe5484919459ad75beb7675e0885d5912f90a0f8c842b95c3d06e27b675bac7bebff16f3692c627297c079e941cc6cd9552ad3fb7d9ab4987
-
memory/624-132-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2584-133-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB