Analysis
-
max time kernel
156s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:03
Static task
static1
Behavioral task
behavioral1
Sample
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe
Resource
win10v2004-en-20220113
General
-
Target
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe
-
Size
152KB
-
MD5
37fa5714549c20bb6a15d8b8f18da221
-
SHA1
ae2ec4f4cfde57ed26a01e3eefe695922e22f922
-
SHA256
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244
-
SHA512
b7dd52707994500a8d978627f8d06551b3c944e3d20770ea9ea46957ec805bed64e7fe4a3f57ca26bdfc053dd2062f39ed93ad66a5f6af3388b4e39d5498ab89
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4596 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 940 svchost.exe Token: SeCreatePagefilePrivilege 940 svchost.exe Token: SeShutdownPrivilege 940 svchost.exe Token: SeCreatePagefilePrivilege 940 svchost.exe Token: SeShutdownPrivilege 940 svchost.exe Token: SeCreatePagefilePrivilege 940 svchost.exe Token: SeIncBasePriorityPrivilege 4012 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe Token: SeBackupPrivilege 4512 TiWorker.exe Token: SeRestorePrivilege 4512 TiWorker.exe Token: SeSecurityPrivilege 4512 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.execmd.exedescription pid process target process PID 4012 wrote to memory of 4596 4012 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe MediaCenter.exe PID 4012 wrote to memory of 4596 4012 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe MediaCenter.exe PID 4012 wrote to memory of 4596 4012 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe MediaCenter.exe PID 4012 wrote to memory of 1064 4012 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe cmd.exe PID 4012 wrote to memory of 1064 4012 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe cmd.exe PID 4012 wrote to memory of 1064 4012 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe cmd.exe PID 1064 wrote to memory of 3156 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 3156 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 3156 1064 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe"C:\Users\Admin\AppData\Local\Temp\161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3156
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:940
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
60cfcd007c7a8e3c0ba582548439ef5e
SHA17d190b1ac73755df1512d7c099e788d4c934bc2d
SHA2562ae6973144617552ef035889ca0c3f750d14ff6a6c30d660ec79ed938c888cf2
SHA512c74c1910aabf0480db69999519624368ed796057c62576e3ecc1b670569397ae1e11d286b2e892f6d9856c7956fc276f78ebb4f934b481d99c25c2e80153a13f
-
MD5
60cfcd007c7a8e3c0ba582548439ef5e
SHA17d190b1ac73755df1512d7c099e788d4c934bc2d
SHA2562ae6973144617552ef035889ca0c3f750d14ff6a6c30d660ec79ed938c888cf2
SHA512c74c1910aabf0480db69999519624368ed796057c62576e3ecc1b670569397ae1e11d286b2e892f6d9856c7956fc276f78ebb4f934b481d99c25c2e80153a13f