Analysis
-
max time kernel
139s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:20
Static task
static1
Behavioral task
behavioral1
Sample
157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe
Resource
win10v2004-en-20220113
General
-
Target
157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe
-
Size
89KB
-
MD5
f31ad30e246c00a5aa1943b2d75b3bf7
-
SHA1
30e3cc56fe0422e7e3b0031235c88bca888a6382
-
SHA256
157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f
-
SHA512
5d5078e23bf3c99442f75e23785f6680b6b438efcca3c700b84c09e639ff5c3ca46bb0595d35fb04a8a9fc0e1ef363e0e25f79aa2fa5e6785d70aa174a2127ac
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4576 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4872 svchost.exe Token: SeCreatePagefilePrivilege 4872 svchost.exe Token: SeShutdownPrivilege 4872 svchost.exe Token: SeCreatePagefilePrivilege 4872 svchost.exe Token: SeShutdownPrivilege 4872 svchost.exe Token: SeCreatePagefilePrivilege 4872 svchost.exe Token: SeIncBasePriorityPrivilege 4316 157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe Token: SeBackupPrivilege 2328 TiWorker.exe Token: SeRestorePrivilege 2328 TiWorker.exe Token: SeSecurityPrivilege 2328 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.execmd.exedescription pid process target process PID 4316 wrote to memory of 4576 4316 157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe MediaCenter.exe PID 4316 wrote to memory of 4576 4316 157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe MediaCenter.exe PID 4316 wrote to memory of 4576 4316 157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe MediaCenter.exe PID 4316 wrote to memory of 4056 4316 157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe cmd.exe PID 4316 wrote to memory of 4056 4316 157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe cmd.exe PID 4316 wrote to memory of 4056 4316 157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe cmd.exe PID 4056 wrote to memory of 1444 4056 cmd.exe PING.EXE PID 4056 wrote to memory of 1444 4056 cmd.exe PING.EXE PID 4056 wrote to memory of 1444 4056 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe"C:\Users\Admin\AppData\Local\Temp\157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\157ffa946796f8d5bf6ce129e7954e05311bf4bc115a08ba72fe1185c52e354f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1444
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
24b56f18e620b4f846b44c66de4862ee
SHA1035100f4cbd131bc5de285aae8c8fedf5600572b
SHA256b58f1007a1c438de7b726a89a13248bc79f7e3a09f244051011063da2925181b
SHA512839c4b6b06bae1bb405e089323d8cb43de358d8d75c2ab573269fc5fb5c22a40d991a7699e4f6faa8b82a55499e6a5b1693b26019f95e0a7176c020a952dd3d7
-
MD5
24b56f18e620b4f846b44c66de4862ee
SHA1035100f4cbd131bc5de285aae8c8fedf5600572b
SHA256b58f1007a1c438de7b726a89a13248bc79f7e3a09f244051011063da2925181b
SHA512839c4b6b06bae1bb405e089323d8cb43de358d8d75c2ab573269fc5fb5c22a40d991a7699e4f6faa8b82a55499e6a5b1693b26019f95e0a7176c020a952dd3d7