Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:55
Static task
static1
Behavioral task
behavioral1
Sample
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe
Resource
win10v2004-en-20220113
General
-
Target
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe
-
Size
176KB
-
MD5
b21db582e4cf27142888b14aecf4883e
-
SHA1
5e75f1e58d450c9a078526e353623deca2ee8e37
-
SHA256
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68
-
SHA512
718e5053c6192eefe5aebfca132e6b0da2783ec643d5da6510a48f5222d7e71f7cedbe01f41c7da728e4d731cd5416a0195d088d74828bb884ac65601202ae46
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1956-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4060-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4060 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1668 svchost.exe Token: SeCreatePagefilePrivilege 1668 svchost.exe Token: SeShutdownPrivilege 1668 svchost.exe Token: SeCreatePagefilePrivilege 1668 svchost.exe Token: SeShutdownPrivilege 1668 svchost.exe Token: SeCreatePagefilePrivilege 1668 svchost.exe Token: SeIncBasePriorityPrivilege 1956 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe Token: SeBackupPrivilege 3656 TiWorker.exe Token: SeRestorePrivilege 3656 TiWorker.exe Token: SeSecurityPrivilege 3656 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.execmd.exedescription pid process target process PID 1956 wrote to memory of 4060 1956 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe MediaCenter.exe PID 1956 wrote to memory of 4060 1956 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe MediaCenter.exe PID 1956 wrote to memory of 4060 1956 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe MediaCenter.exe PID 1956 wrote to memory of 1984 1956 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe cmd.exe PID 1956 wrote to memory of 1984 1956 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe cmd.exe PID 1956 wrote to memory of 1984 1956 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe cmd.exe PID 1984 wrote to memory of 1324 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1324 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1324 1984 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe"C:\Users\Admin\AppData\Local\Temp\190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6afe2e6eb3283d539d3a107a8b3c7b41
SHA17d2d0c2ebff11b3e632b883e9e41db80f3781140
SHA256d6840ed10d0ba02746c13fde7f603a875f27bce3aeca94f27c686fa08053e0a0
SHA51227a8e5b78bedafb7d5c4794c771a9434264cc6fbdf97bf3b22c55fd12fb96b752430ffb327279a01f4b49e113d61074475dab1e4c24b224c6bef20f7fb3b28a8
-
MD5
6afe2e6eb3283d539d3a107a8b3c7b41
SHA17d2d0c2ebff11b3e632b883e9e41db80f3781140
SHA256d6840ed10d0ba02746c13fde7f603a875f27bce3aeca94f27c686fa08053e0a0
SHA51227a8e5b78bedafb7d5c4794c771a9434264cc6fbdf97bf3b22c55fd12fb96b752430ffb327279a01f4b49e113d61074475dab1e4c24b224c6bef20f7fb3b28a8