Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:12
Static task
static1
Behavioral task
behavioral1
Sample
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe
Resource
win10v2004-en-20220113
General
-
Target
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe
-
Size
220KB
-
MD5
6cadba42b1ecb0a5828fe838a6fd376a
-
SHA1
b763849ab884231e1062f5e9f9cf50b61e7cd957
-
SHA256
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec
-
SHA512
9ef350c1e29e18f4fb7ff9a0cdb785f102d12529741dc4fbd2d84d349f68d23b8bf6a71418c93170051a43808283ebed41cce1ec50d81d46af5311c42e8c259d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1924-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1776-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1776 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 428 svchost.exe Token: SeCreatePagefilePrivilege 428 svchost.exe Token: SeShutdownPrivilege 428 svchost.exe Token: SeCreatePagefilePrivilege 428 svchost.exe Token: SeShutdownPrivilege 428 svchost.exe Token: SeCreatePagefilePrivilege 428 svchost.exe Token: SeIncBasePriorityPrivilege 1924 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.execmd.exedescription pid process target process PID 1924 wrote to memory of 1776 1924 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe MediaCenter.exe PID 1924 wrote to memory of 1776 1924 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe MediaCenter.exe PID 1924 wrote to memory of 1776 1924 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe MediaCenter.exe PID 1924 wrote to memory of 4540 1924 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe cmd.exe PID 1924 wrote to memory of 4540 1924 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe cmd.exe PID 1924 wrote to memory of 4540 1924 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe cmd.exe PID 4540 wrote to memory of 3116 4540 cmd.exe PING.EXE PID 4540 wrote to memory of 3116 4540 cmd.exe PING.EXE PID 4540 wrote to memory of 3116 4540 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe"C:\Users\Admin\AppData\Local\Temp\15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:428
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4692
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
87adf9566c4605148f15fb593fa250fb
SHA1f61142317ec0a64a07818649fcfab123f8dd734d
SHA25627d802aa597d6810bd537d64368588c3ff46c3724d179d5f94d63d1ea6736267
SHA5123e5e98e6134499808d822f29f2bbdc5d685203eebc741b7ee0b0d4da9c83f8ef46ede69bb0eebc68a051828d6634d481e22c0842dfd7daf2a8b8b1c66981b19c
-
MD5
87adf9566c4605148f15fb593fa250fb
SHA1f61142317ec0a64a07818649fcfab123f8dd734d
SHA25627d802aa597d6810bd537d64368588c3ff46c3724d179d5f94d63d1ea6736267
SHA5123e5e98e6134499808d822f29f2bbdc5d685203eebc741b7ee0b0d4da9c83f8ef46ede69bb0eebc68a051828d6634d481e22c0842dfd7daf2a8b8b1c66981b19c