Analysis
-
max time kernel
161s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 11:30
Static task
static1
Behavioral task
behavioral1
Sample
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe
Resource
win10v2004-en-20220112
General
-
Target
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe
-
Size
150KB
-
MD5
ac1f85e59d1c3c0c624d0fa7225d629a
-
SHA1
d1879b3f8b1432cd895a8f41e0f21fced5a97b78
-
SHA256
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439
-
SHA512
fbe3658c29d3f241f65479d4c6b6de17ebe6ec5c8033e885a8e9742c9ee01c1bd69025990d6bc467c489421f6130193b224957e9e4a34965732d6f81cb537de3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3212 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 54 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.000074" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.380916" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4068" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893169013023623" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4328" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exedescription pid process Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeIncBasePriorityPrivilege 8 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe Token: SeBackupPrivilege 3000 TiWorker.exe Token: SeRestorePrivilege 3000 TiWorker.exe Token: SeSecurityPrivilege 3000 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.execmd.exedescription pid process target process PID 8 wrote to memory of 3212 8 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe MediaCenter.exe PID 8 wrote to memory of 3212 8 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe MediaCenter.exe PID 8 wrote to memory of 3212 8 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe MediaCenter.exe PID 8 wrote to memory of 900 8 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe cmd.exe PID 8 wrote to memory of 900 8 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe cmd.exe PID 8 wrote to memory of 900 8 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe cmd.exe PID 900 wrote to memory of 4008 900 cmd.exe PING.EXE PID 900 wrote to memory of 4008 900 cmd.exe PING.EXE PID 900 wrote to memory of 4008 900 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe"C:\Users\Admin\AppData\Local\Temp\0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4008
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 01⤵
- Checks processor information in registry
PID:2592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3336
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8ced5b0e61e665b1d9db22e2d77d2937
SHA19eb1305395f2b4960f3228cafe56c9aee075922e
SHA2567c278f5dba5068df0b79d992e8e479acc4eee6672b300ff29c86429a29d58c36
SHA5121e95cfdfaa72e8b37fe0a5e6b3e4ae63c1284658fd4852d651eae59a543ffadadc0e88a6cc9eb261354faa402b970aebe60b317b85f684ed45a686e87fbc5be3
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8ced5b0e61e665b1d9db22e2d77d2937
SHA19eb1305395f2b4960f3228cafe56c9aee075922e
SHA2567c278f5dba5068df0b79d992e8e479acc4eee6672b300ff29c86429a29d58c36
SHA5121e95cfdfaa72e8b37fe0a5e6b3e4ae63c1284658fd4852d651eae59a543ffadadc0e88a6cc9eb261354faa402b970aebe60b317b85f684ed45a686e87fbc5be3