Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:24
Static task
static1
Behavioral task
behavioral1
Sample
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe
Resource
win10v2004-en-20220113
General
-
Target
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe
-
Size
92KB
-
MD5
d3e9c51845245631be7750878f3756b9
-
SHA1
167db640ab76dec6b59be62edd432127e0023533
-
SHA256
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271
-
SHA512
2476bc7d3740e3067ed35989b753e0da969ec2a8fc3fc0d3078141e31179266ed18869ce237d8c3155c040347026182ae2ca79b4fbc08689813ca0474ff204ae
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4804 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4152 svchost.exe Token: SeCreatePagefilePrivilege 4152 svchost.exe Token: SeShutdownPrivilege 4152 svchost.exe Token: SeCreatePagefilePrivilege 4152 svchost.exe Token: SeShutdownPrivilege 4152 svchost.exe Token: SeCreatePagefilePrivilege 4152 svchost.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe Token: SeRestorePrivilege 1012 TiWorker.exe Token: SeSecurityPrivilege 1012 TiWorker.exe Token: SeBackupPrivilege 1012 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.execmd.exedescription pid process target process PID 2780 wrote to memory of 4804 2780 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe MediaCenter.exe PID 2780 wrote to memory of 4804 2780 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe MediaCenter.exe PID 2780 wrote to memory of 4804 2780 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe MediaCenter.exe PID 2780 wrote to memory of 1876 2780 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe cmd.exe PID 2780 wrote to memory of 1876 2780 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe cmd.exe PID 2780 wrote to memory of 1876 2780 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe cmd.exe PID 1876 wrote to memory of 3596 1876 cmd.exe PING.EXE PID 1876 wrote to memory of 3596 1876 cmd.exe PING.EXE PID 1876 wrote to memory of 3596 1876 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe"C:\Users\Admin\AppData\Local\Temp\155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
987809a489d3333fcdfe70da3cc370e2
SHA1e95807fa65f0d4b550d5982a3a6da393f1920106
SHA256df16ebfb6536728f7728bf5e1f74f7e3d323ce7130614ec5a8ef95f616b81a54
SHA512aacd7426e380e2eb7888a63ded4c481acf7f0d8bcf94e7fc95801dc35c4450c4f949a91904838ed7e9c25aa95a7e05e5538113c85823540ea1c8eb328cbe453d
-
MD5
987809a489d3333fcdfe70da3cc370e2
SHA1e95807fa65f0d4b550d5982a3a6da393f1920106
SHA256df16ebfb6536728f7728bf5e1f74f7e3d323ce7130614ec5a8ef95f616b81a54
SHA512aacd7426e380e2eb7888a63ded4c481acf7f0d8bcf94e7fc95801dc35c4450c4f949a91904838ed7e9c25aa95a7e05e5538113c85823540ea1c8eb328cbe453d