Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:03
Static task
static1
Behavioral task
behavioral1
Sample
161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe
Resource
win10v2004-en-20220113
General
-
Target
161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe
-
Size
150KB
-
MD5
6787d4c9d7a2d242dd6340f7a345058f
-
SHA1
ca6d00e4dc78576854da0f1dcd64d070b73e859b
-
SHA256
161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833
-
SHA512
d38e90ef64402a0c593d69ab5f815e1f9d486c9a8084219e7bf1a4f019112a116c4f03ba143705b8ef77cc068e52cbb7ea698b5dc6660fbebd3558e0c9c01931
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2032 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 948 svchost.exe Token: SeCreatePagefilePrivilege 948 svchost.exe Token: SeShutdownPrivilege 948 svchost.exe Token: SeCreatePagefilePrivilege 948 svchost.exe Token: SeShutdownPrivilege 948 svchost.exe Token: SeCreatePagefilePrivilege 948 svchost.exe Token: SeIncBasePriorityPrivilege 2780 161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe Token: SeBackupPrivilege 696 TiWorker.exe Token: SeRestorePrivilege 696 TiWorker.exe Token: SeSecurityPrivilege 696 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.execmd.exedescription pid process target process PID 2780 wrote to memory of 2032 2780 161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe MediaCenter.exe PID 2780 wrote to memory of 2032 2780 161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe MediaCenter.exe PID 2780 wrote to memory of 2032 2780 161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe MediaCenter.exe PID 2780 wrote to memory of 2268 2780 161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe cmd.exe PID 2780 wrote to memory of 2268 2780 161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe cmd.exe PID 2780 wrote to memory of 2268 2780 161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe cmd.exe PID 2268 wrote to memory of 3160 2268 cmd.exe PING.EXE PID 2268 wrote to memory of 3160 2268 cmd.exe PING.EXE PID 2268 wrote to memory of 3160 2268 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe"C:\Users\Admin\AppData\Local\Temp\161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\161eaea9adc6693c5b4a1cbf079d7184e10ce224f4ea8fca4614263e3c708833.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:948
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
35bc40628311ce1c3564243fd024d129
SHA1473d4584f846221d0eb5f531f22e8bde044dc0ad
SHA256714d833f332bb939416ad79fad33d263d7799eda765f3b93eb5eaa12f8929657
SHA5127b780511d779f1b83a5bdfd31cc1b7879fb853619b7e8ed64afe6b7ae5d256e95e5e8cd2c3e423a053225fe624fa74b45d5915855899c10245d9278cf672fbc6
-
MD5
35bc40628311ce1c3564243fd024d129
SHA1473d4584f846221d0eb5f531f22e8bde044dc0ad
SHA256714d833f332bb939416ad79fad33d263d7799eda765f3b93eb5eaa12f8929657
SHA5127b780511d779f1b83a5bdfd31cc1b7879fb853619b7e8ed64afe6b7ae5d256e95e5e8cd2c3e423a053225fe624fa74b45d5915855899c10245d9278cf672fbc6