Analysis
-
max time kernel
163s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 10:27
Static task
static1
Behavioral task
behavioral1
Sample
072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe
Resource
win10v2004-en-20220112
General
-
Target
072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe
-
Size
216KB
-
MD5
c02a2f74ac3cf6d83c491519f2940181
-
SHA1
866c89aacfa8afa8bff64fb12774ece4fe869c42
-
SHA256
072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc
-
SHA512
f6b86997e9b4849e1f6aa850bf3ad4b0ab787cc2e3b3081a0528ac135311af17e3e4d3ee28baf0acab53ad3f69c53d4bcb4e12b2df66517ad7b05f7dc3944b44
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/756-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2492 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe -
Drops file in Windows directory 2 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 19 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 756 072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe Token: SeSecurityPrivilege 3440 TiWorker.exe Token: SeRestorePrivilege 3440 TiWorker.exe Token: SeBackupPrivilege 3440 TiWorker.exe Token: SeBackupPrivilege 3440 TiWorker.exe Token: SeRestorePrivilege 3440 TiWorker.exe Token: SeSecurityPrivilege 3440 TiWorker.exe Token: SeBackupPrivilege 3440 TiWorker.exe Token: SeRestorePrivilege 3440 TiWorker.exe Token: SeSecurityPrivilege 3440 TiWorker.exe Token: SeBackupPrivilege 3440 TiWorker.exe Token: SeRestorePrivilege 3440 TiWorker.exe Token: SeSecurityPrivilege 3440 TiWorker.exe Token: SeBackupPrivilege 3440 TiWorker.exe Token: SeRestorePrivilege 3440 TiWorker.exe Token: SeSecurityPrivilege 3440 TiWorker.exe Token: SeBackupPrivilege 3440 TiWorker.exe Token: SeRestorePrivilege 3440 TiWorker.exe Token: SeSecurityPrivilege 3440 TiWorker.exe Token: SeBackupPrivilege 3440 TiWorker.exe Token: SeRestorePrivilege 3440 TiWorker.exe Token: SeSecurityPrivilege 3440 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.execmd.exedescription pid process target process PID 756 wrote to memory of 2492 756 072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe MediaCenter.exe PID 756 wrote to memory of 2492 756 072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe MediaCenter.exe PID 756 wrote to memory of 2492 756 072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe MediaCenter.exe PID 756 wrote to memory of 1324 756 072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe cmd.exe PID 756 wrote to memory of 1324 756 072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe cmd.exe PID 756 wrote to memory of 1324 756 072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe cmd.exe PID 1324 wrote to memory of 3412 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 3412 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 3412 1324 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe"C:\Users\Admin\AppData\Local\Temp\072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\072af0028a439fb2090e39aa3319ec8be72a294c4e3dfd69c75df0c290d218cc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3412
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
PID:3648
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c485caf9ae5ccb1ec0b0c83e8c498096
SHA16aac7d5d4faeb8d3319738805245c808194cced0
SHA256c23ff95ee297c70136f3097bacc9a410d72bf0ba659ba245349fca3c4a1337bb
SHA51275d22d34e7f125f044b78c12d266bc3931c02979e79d586ae38f7c232d3fcb3899726e5a74bce54ed2afd431ca2fd3a20c4bff042b9f6953cf73693bad9195a6
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c485caf9ae5ccb1ec0b0c83e8c498096
SHA16aac7d5d4faeb8d3319738805245c808194cced0
SHA256c23ff95ee297c70136f3097bacc9a410d72bf0ba659ba245349fca3c4a1337bb
SHA51275d22d34e7f125f044b78c12d266bc3931c02979e79d586ae38f7c232d3fcb3899726e5a74bce54ed2afd431ca2fd3a20c4bff042b9f6953cf73693bad9195a6
-
memory/756-132-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB