Analysis
-
max time kernel
146s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:48
Static task
static1
Behavioral task
behavioral1
Sample
16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe
Resource
win10v2004-en-20220113
General
-
Target
16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe
-
Size
176KB
-
MD5
89a1850457d06e1ffd1459ee4e9314f2
-
SHA1
1b825c5e5f5a74a3e0b64e7dc7dcf34eeac52194
-
SHA256
16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904
-
SHA512
9d7effd4ad94d45f3d76694ea8d03d2597de31aee2ba254277c96f268c201415719b027877125fb0358ed5309aff1af0a615f1b2e9345004266b239047ac13c9
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3540-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1944-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1944 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4596 svchost.exe Token: SeCreatePagefilePrivilege 4596 svchost.exe Token: SeShutdownPrivilege 4596 svchost.exe Token: SeCreatePagefilePrivilege 4596 svchost.exe Token: SeShutdownPrivilege 4596 svchost.exe Token: SeCreatePagefilePrivilege 4596 svchost.exe Token: SeIncBasePriorityPrivilege 3540 16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe Token: SeBackupPrivilege 4604 TiWorker.exe Token: SeRestorePrivilege 4604 TiWorker.exe Token: SeSecurityPrivilege 4604 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.execmd.exedescription pid process target process PID 3540 wrote to memory of 1944 3540 16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe MediaCenter.exe PID 3540 wrote to memory of 1944 3540 16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe MediaCenter.exe PID 3540 wrote to memory of 1944 3540 16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe MediaCenter.exe PID 3540 wrote to memory of 3460 3540 16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe cmd.exe PID 3540 wrote to memory of 3460 3540 16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe cmd.exe PID 3540 wrote to memory of 3460 3540 16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe cmd.exe PID 3460 wrote to memory of 4124 3460 cmd.exe PING.EXE PID 3460 wrote to memory of 4124 3460 cmd.exe PING.EXE PID 3460 wrote to memory of 4124 3460 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe"C:\Users\Admin\AppData\Local\Temp\16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16c3ce826098729fa5e454d2ea4a43092436842a7cfdbf62cacc780df3b85904.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4604
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
688824be2eadc7559a0cec4925026114
SHA1e1f10057a64260542e5827301225d57bef34557c
SHA256799895f64eb42a2f869687037105ced16605492672586c47c4b8ef4b7ed313e1
SHA5128433920124df0543c1e9a7ec36a74ac2e83e1ecccbf8317d53ad9e1c329fbbd630295f52c149df6722b7b8980b1b8daf36bf0433c2bb56bf37d9aafa931744b7
-
MD5
688824be2eadc7559a0cec4925026114
SHA1e1f10057a64260542e5827301225d57bef34557c
SHA256799895f64eb42a2f869687037105ced16605492672586c47c4b8ef4b7ed313e1
SHA5128433920124df0543c1e9a7ec36a74ac2e83e1ecccbf8317d53ad9e1c329fbbd630295f52c149df6722b7b8980b1b8daf36bf0433c2bb56bf37d9aafa931744b7