Analysis
-
max time kernel
121s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:30
Static task
static1
Behavioral task
behavioral1
Sample
177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe
Resource
win10v2004-en-20220113
General
-
Target
177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe
-
Size
116KB
-
MD5
b2083008ffaac26f91d7ba39936a3f3a
-
SHA1
5c3c76a4630beaa0c3a631ebae7bbc9b6eeea5d8
-
SHA256
177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7
-
SHA512
112c20691a397b454c47867e0422edfdacd769fa695e08a83d766f6411127e5d5ea4288aa195af74f7472b4d2a716257144d2eee335659ceea2e83a478ea4386
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/952-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1320-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1320 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1088 svchost.exe Token: SeCreatePagefilePrivilege 1088 svchost.exe Token: SeShutdownPrivilege 1088 svchost.exe Token: SeCreatePagefilePrivilege 1088 svchost.exe Token: SeShutdownPrivilege 1088 svchost.exe Token: SeCreatePagefilePrivilege 1088 svchost.exe Token: SeIncBasePriorityPrivilege 952 177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.execmd.exedescription pid process target process PID 952 wrote to memory of 1320 952 177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe MediaCenter.exe PID 952 wrote to memory of 1320 952 177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe MediaCenter.exe PID 952 wrote to memory of 1320 952 177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe MediaCenter.exe PID 952 wrote to memory of 4932 952 177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe cmd.exe PID 952 wrote to memory of 4932 952 177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe cmd.exe PID 952 wrote to memory of 4932 952 177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe cmd.exe PID 4932 wrote to memory of 1800 4932 cmd.exe PING.EXE PID 4932 wrote to memory of 1800 4932 cmd.exe PING.EXE PID 4932 wrote to memory of 1800 4932 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe"C:\Users\Admin\AppData\Local\Temp\177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\177c9fb764713a87dac6d77da7c14199e55cae59f8c8d11a555d8d49ad9ab7a7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c8a5f2e410e1f6188133a607400e5256
SHA16df5ae9783053088c4e095782d2958b45799dcb7
SHA25676c7d1ac2561d0d780d8dcd15379d1615769e4bb937d0120d7cf2fd0b877068f
SHA5129c83e930446fe0a1a7a6f19f31fa2daa7ef5a7b282108f40b19020fa32510697dcd22bc4444a502a42d6953f13e2dfb57ec19a1d348b803065a7bacf54e3152a
-
MD5
c8a5f2e410e1f6188133a607400e5256
SHA16df5ae9783053088c4e095782d2958b45799dcb7
SHA25676c7d1ac2561d0d780d8dcd15379d1615769e4bb937d0120d7cf2fd0b877068f
SHA5129c83e930446fe0a1a7a6f19f31fa2daa7ef5a7b282108f40b19020fa32510697dcd22bc4444a502a42d6953f13e2dfb57ec19a1d348b803065a7bacf54e3152a