Analysis
-
max time kernel
165s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 11:19
Static task
static1
Behavioral task
behavioral1
Sample
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe
Resource
win10v2004-en-20220112
General
-
Target
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe
-
Size
150KB
-
MD5
888e8e23f8091cb237feb652bc8652a0
-
SHA1
8cfde56bdb72810ea21cbbf21654faa745a8208d
-
SHA256
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a
-
SHA512
03e9153e17fef008304ebcf207ece03d128e5c250eb2b3980f74e3a26635edd90388884397ea14487173050e1129ba4d3bc26954ea799e8585fd955ec6717ff7
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3676 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 54 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4304" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893160706584708" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.141143" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.142968" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.353437" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.008074" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4088" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exedescription pid process Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeIncBasePriorityPrivilege 4072 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.execmd.exedescription pid process target process PID 4072 wrote to memory of 3676 4072 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe MediaCenter.exe PID 4072 wrote to memory of 3676 4072 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe MediaCenter.exe PID 4072 wrote to memory of 3676 4072 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe MediaCenter.exe PID 4072 wrote to memory of 2708 4072 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe cmd.exe PID 4072 wrote to memory of 2708 4072 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe cmd.exe PID 4072 wrote to memory of 2708 4072 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe cmd.exe PID 2708 wrote to memory of 1868 2708 cmd.exe PING.EXE PID 2708 wrote to memory of 1868 2708 cmd.exe PING.EXE PID 2708 wrote to memory of 1868 2708 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe"C:\Users\Admin\AppData\Local\Temp\04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1868
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3264
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ca54b1ade39d92169330ef68d50338f2
SHA16b61909498a380ae9ab2551145857fe51c97831a
SHA256c9baee33ff90828ad76565a2e27383f4de2078b59f75bc0f37be0a8b04776935
SHA5125c46dab370ac972f98051bd8269cb7b5fab85f723d1dd482263b4e560cbdebe68a4f8a5f36b78540b0e5927b43a51ae167b2aa79e936297224054739df40c415
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ca54b1ade39d92169330ef68d50338f2
SHA16b61909498a380ae9ab2551145857fe51c97831a
SHA256c9baee33ff90828ad76565a2e27383f4de2078b59f75bc0f37be0a8b04776935
SHA5125c46dab370ac972f98051bd8269cb7b5fab85f723d1dd482263b4e560cbdebe68a4f8a5f36b78540b0e5927b43a51ae167b2aa79e936297224054739df40c415