Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:40
Static task
static1
Behavioral task
behavioral1
Sample
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe
Resource
win10v2004-en-20220113
General
-
Target
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe
-
Size
216KB
-
MD5
c0cb2603d8b7146804f64d28aabf9dd1
-
SHA1
aac0df39bb5d9d123c403a51f75aa9eab7fffb97
-
SHA256
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1
-
SHA512
9367dd04737cdebbc35b5b7f35b066bfd63d4fe83cb3cfccfd28381b2e2095ef869d4c7220b4fb10cc150c4adf84a58e022150a388f668fc5cca10e87b72cfb6
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3044-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4580-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4580 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2992 svchost.exe Token: SeCreatePagefilePrivilege 2992 svchost.exe Token: SeShutdownPrivilege 2992 svchost.exe Token: SeCreatePagefilePrivilege 2992 svchost.exe Token: SeShutdownPrivilege 2992 svchost.exe Token: SeCreatePagefilePrivilege 2992 svchost.exe Token: SeIncBasePriorityPrivilege 3044 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe Token: SeBackupPrivilege 4896 TiWorker.exe Token: SeRestorePrivilege 4896 TiWorker.exe Token: SeSecurityPrivilege 4896 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.execmd.exedescription pid process target process PID 3044 wrote to memory of 4580 3044 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe MediaCenter.exe PID 3044 wrote to memory of 4580 3044 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe MediaCenter.exe PID 3044 wrote to memory of 4580 3044 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe MediaCenter.exe PID 3044 wrote to memory of 3680 3044 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe cmd.exe PID 3044 wrote to memory of 3680 3044 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe cmd.exe PID 3044 wrote to memory of 3680 3044 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe cmd.exe PID 3680 wrote to memory of 1776 3680 cmd.exe PING.EXE PID 3680 wrote to memory of 1776 3680 cmd.exe PING.EXE PID 3680 wrote to memory of 1776 3680 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe"C:\Users\Admin\AppData\Local\Temp\1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1776
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7fc86f8fd7e936e8191d8c53f766ecf7
SHA15bee2aa22df18b0efa79d36933ed1d04290778ba
SHA2562d8106a3b5679f48decc4e4572c1bfaad1a27aa5bbd2b6fb5b6c5e84c4c143d2
SHA512d96fe55c32356d21aa169967922919a834c82bce7ef74442330bad019fe8bcec773cd03ed0163fb1ac64838bc6256b4930e3460ebc77c48b6bcbd9c1cda54ebd
-
MD5
7fc86f8fd7e936e8191d8c53f766ecf7
SHA15bee2aa22df18b0efa79d36933ed1d04290778ba
SHA2562d8106a3b5679f48decc4e4572c1bfaad1a27aa5bbd2b6fb5b6c5e84c4c143d2
SHA512d96fe55c32356d21aa169967922919a834c82bce7ef74442330bad019fe8bcec773cd03ed0163fb1ac64838bc6256b4930e3460ebc77c48b6bcbd9c1cda54ebd