Analysis
-
max time kernel
158s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:01
Static task
static1
Behavioral task
behavioral1
Sample
18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exe
Resource
win10v2004-en-20220113
General
-
Target
18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exe
-
Size
150KB
-
MD5
cf4c7f3dee8537247555d69903f5c5df
-
SHA1
5b5356fac4715cce33ce36b581cf149d04c3b955
-
SHA256
18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df
-
SHA512
bbcff7f2b11b07bdf8c944ba4463ef1ae0a0adb8ff45ff6fbe7fd7721991c730615c4fb32a50d3caf543477fdfa7173b88dc2ae3f9f96c0fadafac5359366da5
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3172 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2544 svchost.exe Token: SeCreatePagefilePrivilege 2544 svchost.exe Token: SeShutdownPrivilege 2544 svchost.exe Token: SeCreatePagefilePrivilege 2544 svchost.exe Token: SeShutdownPrivilege 2544 svchost.exe Token: SeCreatePagefilePrivilege 2544 svchost.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe Token: SeRestorePrivilege 2332 TiWorker.exe Token: SeSecurityPrivilege 2332 TiWorker.exe Token: SeBackupPrivilege 2332 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.execmd.exedescription pid process target process PID 1844 wrote to memory of 3172 1844 18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exe MediaCenter.exe PID 1844 wrote to memory of 3172 1844 18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exe MediaCenter.exe PID 1844 wrote to memory of 3172 1844 18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exe MediaCenter.exe PID 1844 wrote to memory of 4272 1844 18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exe cmd.exe PID 1844 wrote to memory of 4272 1844 18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exe cmd.exe PID 1844 wrote to memory of 4272 1844 18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exe cmd.exe PID 4272 wrote to memory of 4344 4272 cmd.exe PING.EXE PID 4272 wrote to memory of 4344 4272 cmd.exe PING.EXE PID 4272 wrote to memory of 4344 4272 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exe"C:\Users\Admin\AppData\Local\Temp\18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18c4209be545d3eb3ae6cc89f940ee353d4540f4ab4902fdd320f9a3da4f48df.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
91279628a8789f7b394871da0c76cfc0
SHA1acb9383b5c84b6278f434a37153fcd09668a0302
SHA25610d43396d19fa508f44d66ad30217cefe6e7029d62f2e745f93649f0d053245e
SHA5121f84a6d3c107e77e3ce7bc31fca1f630d8fa29d88bcfaeba55d410cf1f72349cb41f69dbae704b401af128536e427d442112f922971b5589b7a8ff9a4812f33c
-
MD5
91279628a8789f7b394871da0c76cfc0
SHA1acb9383b5c84b6278f434a37153fcd09668a0302
SHA25610d43396d19fa508f44d66ad30217cefe6e7029d62f2e745f93649f0d053245e
SHA5121f84a6d3c107e77e3ce7bc31fca1f630d8fa29d88bcfaeba55d410cf1f72349cb41f69dbae704b401af128536e427d442112f922971b5589b7a8ff9a4812f33c