Analysis
-
max time kernel
142s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:33
Static task
static1
Behavioral task
behavioral1
Sample
1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exe
Resource
win10v2004-en-20220113
General
-
Target
1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exe
-
Size
89KB
-
MD5
c5b1454520e27ded78b5e1a5415c4f46
-
SHA1
50b71118db1af81772f6fe64398afd9fd36f57d0
-
SHA256
1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16
-
SHA512
87c31107e29fbced83d244b401e16fd6577a419388a97e8e850e91c719de4ea83cd88cc223d3e4dc53ba5d15bc7aa7be2ee16d40831d3f05fc8b8b24be334ac7
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3212 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4016 svchost.exe Token: SeCreatePagefilePrivilege 4016 svchost.exe Token: SeShutdownPrivilege 4016 svchost.exe Token: SeCreatePagefilePrivilege 4016 svchost.exe Token: SeShutdownPrivilege 4016 svchost.exe Token: SeCreatePagefilePrivilege 4016 svchost.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.execmd.exedescription pid process target process PID 3968 wrote to memory of 3212 3968 1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exe MediaCenter.exe PID 3968 wrote to memory of 3212 3968 1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exe MediaCenter.exe PID 3968 wrote to memory of 3212 3968 1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exe MediaCenter.exe PID 3968 wrote to memory of 3428 3968 1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exe cmd.exe PID 3968 wrote to memory of 3428 3968 1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exe cmd.exe PID 3968 wrote to memory of 3428 3968 1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exe cmd.exe PID 3428 wrote to memory of 3108 3428 cmd.exe PING.EXE PID 3428 wrote to memory of 3108 3428 cmd.exe PING.EXE PID 3428 wrote to memory of 3108 3428 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exe"C:\Users\Admin\AppData\Local\Temp\1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1530e959ab27b326a268079b257899d6fabe8a3c154145cb09027086b1958b16.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4016
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3244
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b2ed1f5f64540c9d579029b281ac80f4
SHA1bb0f411945780f633f1a5b6deaf02e2fbd2f8d3f
SHA2569b4054e76a834693c2b4433250d23767d8684e209b7818576712d147fea41427
SHA51221868fab1e860d725894d5deeb439238220087e6991ba0aa0878e7a05fb4ca5196952ea327cff88e6165ba976212a7507580b6020e7489c4ea3294004b6c528e
-
MD5
b2ed1f5f64540c9d579029b281ac80f4
SHA1bb0f411945780f633f1a5b6deaf02e2fbd2f8d3f
SHA2569b4054e76a834693c2b4433250d23767d8684e209b7818576712d147fea41427
SHA51221868fab1e860d725894d5deeb439238220087e6991ba0aa0878e7a05fb4ca5196952ea327cff88e6165ba976212a7507580b6020e7489c4ea3294004b6c528e