Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:07
Static task
static1
Behavioral task
behavioral1
Sample
1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exe
Resource
win10v2004-en-20220113
General
-
Target
1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exe
-
Size
150KB
-
MD5
4cd4742383fa00711915dfb199ffb946
-
SHA1
e060884ece39535e7f9a384f4a18bd00738798d5
-
SHA256
1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731
-
SHA512
6a7bb305af35d489abbc46f149de7e335ad4e46e7f1f249186e5d5b7007673d47aa153d08a9b14f0aa02a670fc8a683a64513b2ba542e44b4845ca30c9bda597
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1792 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2696 svchost.exe Token: SeCreatePagefilePrivilege 2696 svchost.exe Token: SeShutdownPrivilege 2696 svchost.exe Token: SeCreatePagefilePrivilege 2696 svchost.exe Token: SeShutdownPrivilege 2696 svchost.exe Token: SeCreatePagefilePrivilege 2696 svchost.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe Token: SeRestorePrivilege 3076 TiWorker.exe Token: SeSecurityPrivilege 3076 TiWorker.exe Token: SeBackupPrivilege 3076 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.execmd.exedescription pid process target process PID 4200 wrote to memory of 1792 4200 1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exe MediaCenter.exe PID 4200 wrote to memory of 1792 4200 1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exe MediaCenter.exe PID 4200 wrote to memory of 1792 4200 1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exe MediaCenter.exe PID 4200 wrote to memory of 4656 4200 1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exe cmd.exe PID 4200 wrote to memory of 4656 4200 1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exe cmd.exe PID 4200 wrote to memory of 4656 4200 1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exe cmd.exe PID 4656 wrote to memory of 1508 4656 cmd.exe PING.EXE PID 4656 wrote to memory of 1508 4656 cmd.exe PING.EXE PID 4656 wrote to memory of 1508 4656 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exe"C:\Users\Admin\AppData\Local\Temp\1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1881c151bf2e93ddb7115f26e1decbbff9baaa49f7d98730928ba49f56f31731.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1508
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
98b3751f16278e20ccb95a65cb4479e5
SHA10edfeae9a4b87c7a652edcba258960a349985912
SHA2568d11425de6e9808528f386cc66ab1a76ec91e7bb2f354074c45c08c75cc0ed1d
SHA512c4e6ef80d839d5871d69471900d28a9557d4ac11afcd783085a6ebf88cabee0016249e5e8eeaeb39ecc29532d3d94daf012787e6ce738781cd23aac06ee3c444
-
MD5
98b3751f16278e20ccb95a65cb4479e5
SHA10edfeae9a4b87c7a652edcba258960a349985912
SHA2568d11425de6e9808528f386cc66ab1a76ec91e7bb2f354074c45c08c75cc0ed1d
SHA512c4e6ef80d839d5871d69471900d28a9557d4ac11afcd783085a6ebf88cabee0016249e5e8eeaeb39ecc29532d3d94daf012787e6ce738781cd23aac06ee3c444