Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:53
Static task
static1
Behavioral task
behavioral1
Sample
1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exe
Resource
win10v2004-en-20220113
General
-
Target
1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exe
-
Size
150KB
-
MD5
d968c9bd1c6e29be782ce878999b61fe
-
SHA1
e918263a1770b42f4d82e71ecd839aa5a5a73b35
-
SHA256
1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09
-
SHA512
8854e0d01c3a717125ee482a031b5c566a555327f5fffa647e72589e7df01030b7967ba41b032a1bc0977fe7f31b93215491643ab3a65414c2920dcd2d78fbf6
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4668 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4172 svchost.exe Token: SeCreatePagefilePrivilege 4172 svchost.exe Token: SeShutdownPrivilege 4172 svchost.exe Token: SeCreatePagefilePrivilege 4172 svchost.exe Token: SeShutdownPrivilege 4172 svchost.exe Token: SeCreatePagefilePrivilege 4172 svchost.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe Token: SeRestorePrivilege 3432 TiWorker.exe Token: SeSecurityPrivilege 3432 TiWorker.exe Token: SeBackupPrivilege 3432 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.execmd.exedescription pid process target process PID 4496 wrote to memory of 4668 4496 1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exe MediaCenter.exe PID 4496 wrote to memory of 4668 4496 1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exe MediaCenter.exe PID 4496 wrote to memory of 4668 4496 1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exe MediaCenter.exe PID 4496 wrote to memory of 760 4496 1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exe cmd.exe PID 4496 wrote to memory of 760 4496 1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exe cmd.exe PID 4496 wrote to memory of 760 4496 1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exe cmd.exe PID 760 wrote to memory of 4448 760 cmd.exe PING.EXE PID 760 wrote to memory of 4448 760 cmd.exe PING.EXE PID 760 wrote to memory of 4448 760 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exe"C:\Users\Admin\AppData\Local\Temp\1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1925aefc018e2af404e0f851b787329b48d593b702f89287e99fcffe60ca3f09.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
beb6ba843c39f6c058a03e99ad515e95
SHA10e26e217a863929794448e6678f110035028f935
SHA2569673127fc69462854925a6a353de15fc7b10f8b4cab702b0c2b68b981cdce750
SHA5120cf8d25d8dca59f9ca7018950c5c3492df02a1cd8ce632b40a1d8fbd1e427557448226dabfe20799dec8323e4384caf9fc767018e7b2e60c196ae55d942f4422
-
MD5
beb6ba843c39f6c058a03e99ad515e95
SHA10e26e217a863929794448e6678f110035028f935
SHA2569673127fc69462854925a6a353de15fc7b10f8b4cab702b0c2b68b981cdce750
SHA5120cf8d25d8dca59f9ca7018950c5c3492df02a1cd8ce632b40a1d8fbd1e427557448226dabfe20799dec8323e4384caf9fc767018e7b2e60c196ae55d942f4422