Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:55
Static task
static1
Behavioral task
behavioral1
Sample
1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exe
Resource
win10v2004-en-20220113
General
-
Target
1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exe
-
Size
176KB
-
MD5
e4df685b676eb014fc91d87222287101
-
SHA1
b50af86ee53e454537ecd05a85b1b5b19da2f2c9
-
SHA256
1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820
-
SHA512
957ba9ec845397bd65ff1a44b48e4fe8f451931bcc9f7e79dfcaf2fb4aa1a0b1434e97ed105dfb5d2f7cc3a11c0e070af79642300e05494fb05fb5d822066172
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4464-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/3824-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3824 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3816 svchost.exe Token: SeCreatePagefilePrivilege 3816 svchost.exe Token: SeShutdownPrivilege 3816 svchost.exe Token: SeCreatePagefilePrivilege 3816 svchost.exe Token: SeShutdownPrivilege 3816 svchost.exe Token: SeCreatePagefilePrivilege 3816 svchost.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe Token: SeRestorePrivilege 4160 TiWorker.exe Token: SeSecurityPrivilege 4160 TiWorker.exe Token: SeBackupPrivilege 4160 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.execmd.exedescription pid process target process PID 4464 wrote to memory of 3824 4464 1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exe MediaCenter.exe PID 4464 wrote to memory of 3824 4464 1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exe MediaCenter.exe PID 4464 wrote to memory of 3824 4464 1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exe MediaCenter.exe PID 4464 wrote to memory of 4296 4464 1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exe cmd.exe PID 4464 wrote to memory of 4296 4464 1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exe cmd.exe PID 4464 wrote to memory of 4296 4464 1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exe cmd.exe PID 4296 wrote to memory of 4252 4296 cmd.exe PING.EXE PID 4296 wrote to memory of 4252 4296 cmd.exe PING.EXE PID 4296 wrote to memory of 4252 4296 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exe"C:\Users\Admin\AppData\Local\Temp\1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1917deca4b6ca49084cc32ac50c86feef3ac607d7d65f4964e9fda0b2d5b9820.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fcba4b603a463395f69a120c976c74ac
SHA157f94df913c3d29d9d19dc88891f3fcba95406c9
SHA2560751614b7d40996ffef4760859f7b06311f4cbc97bb5eb8894ea6e36ddacd359
SHA51280946acd2cc375a7ecfd43eea10c07de31eb6388b7eb4a53b08f589f9dd05098174fcac0d991d8f000a235b730d6bdebdd48cfadf60e5b538bf619b6447ea011
-
MD5
fcba4b603a463395f69a120c976c74ac
SHA157f94df913c3d29d9d19dc88891f3fcba95406c9
SHA2560751614b7d40996ffef4760859f7b06311f4cbc97bb5eb8894ea6e36ddacd359
SHA51280946acd2cc375a7ecfd43eea10c07de31eb6388b7eb4a53b08f589f9dd05098174fcac0d991d8f000a235b730d6bdebdd48cfadf60e5b538bf619b6447ea011