Analysis
-
max time kernel
155s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:58
Static task
static1
Behavioral task
behavioral1
Sample
18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe
Resource
win10v2004-en-20220113
General
-
Target
18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe
-
Size
150KB
-
MD5
ef6551b2369ba3c3c46a62c67ec18c99
-
SHA1
b215425d63a322e63c4debc37f5052ff3664de50
-
SHA256
18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec
-
SHA512
32e3cbf47cbc9d3e6907b08ed61ff61cb7abb65d6754620fbbad8c914383b15120cd44b8a7d177f338dc4e053e916be98a281fa1b08b9827d315e510c59fa547
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 408 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4852 svchost.exe Token: SeCreatePagefilePrivilege 4852 svchost.exe Token: SeShutdownPrivilege 4852 svchost.exe Token: SeCreatePagefilePrivilege 4852 svchost.exe Token: SeShutdownPrivilege 4852 svchost.exe Token: SeCreatePagefilePrivilege 4852 svchost.exe Token: SeIncBasePriorityPrivilege 2528 18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe Token: SeBackupPrivilege 4212 TiWorker.exe Token: SeRestorePrivilege 4212 TiWorker.exe Token: SeSecurityPrivilege 4212 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.execmd.exedescription pid process target process PID 2528 wrote to memory of 408 2528 18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe MediaCenter.exe PID 2528 wrote to memory of 408 2528 18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe MediaCenter.exe PID 2528 wrote to memory of 408 2528 18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe MediaCenter.exe PID 2528 wrote to memory of 2112 2528 18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe cmd.exe PID 2528 wrote to memory of 2112 2528 18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe cmd.exe PID 2528 wrote to memory of 2112 2528 18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe cmd.exe PID 2112 wrote to memory of 1240 2112 cmd.exe PING.EXE PID 2112 wrote to memory of 1240 2112 cmd.exe PING.EXE PID 2112 wrote to memory of 1240 2112 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe"C:\Users\Admin\AppData\Local\Temp\18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18f0502100b1b9198a38a5a52ba478b01c321ab25113a3237236b775a78c02ec.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4bdf43789f0a25c14575b0cfb01b2040
SHA1d865e99bd804956573c4c9db589747b8cebad640
SHA256f893da0cd0ff4e7b72e5e7cbb48d88991b8ca5ff043281cdb1de8790f4c8d7cb
SHA5121121c107692af9d15a1eff5631a394eefc5ad797741b1ce597f10ec311a6991c2ba8462bd318687979d5dd7be7e210f9f65d735fb1817e9a46235c3e6da57536
-
MD5
4bdf43789f0a25c14575b0cfb01b2040
SHA1d865e99bd804956573c4c9db589747b8cebad640
SHA256f893da0cd0ff4e7b72e5e7cbb48d88991b8ca5ff043281cdb1de8790f4c8d7cb
SHA5121121c107692af9d15a1eff5631a394eefc5ad797741b1ce597f10ec311a6991c2ba8462bd318687979d5dd7be7e210f9f65d735fb1817e9a46235c3e6da57536