Analysis
-
max time kernel
156s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:19
Static task
static1
Behavioral task
behavioral1
Sample
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe
Resource
win10v2004-en-20220113
General
-
Target
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe
-
Size
89KB
-
MD5
77c19572915d6949592e2ec5614fb8b4
-
SHA1
2857e956fe9d32a682289966cfe3c4a8445f718f
-
SHA256
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966
-
SHA512
b67a35c5ad85ba939b948de34e2a2a4c016b049bc64db1a8e350ce375de5e75f6bac708282af38d4b8029ea8ea5951fbf256494a7b2b861a96753b0560f9f254
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4728 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 928 svchost.exe Token: SeCreatePagefilePrivilege 928 svchost.exe Token: SeShutdownPrivilege 928 svchost.exe Token: SeCreatePagefilePrivilege 928 svchost.exe Token: SeShutdownPrivilege 928 svchost.exe Token: SeCreatePagefilePrivilege 928 svchost.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.execmd.exedescription pid process target process PID 4420 wrote to memory of 4728 4420 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe MediaCenter.exe PID 4420 wrote to memory of 4728 4420 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe MediaCenter.exe PID 4420 wrote to memory of 4728 4420 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe MediaCenter.exe PID 4420 wrote to memory of 5076 4420 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe cmd.exe PID 4420 wrote to memory of 5076 4420 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe cmd.exe PID 4420 wrote to memory of 5076 4420 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe cmd.exe PID 5076 wrote to memory of 2272 5076 cmd.exe PING.EXE PID 5076 wrote to memory of 2272 5076 cmd.exe PING.EXE PID 5076 wrote to memory of 2272 5076 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe"C:\Users\Admin\AppData\Local\Temp\1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:928
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f3b09515652f8187376d68c38a4b5ac6
SHA1709091bf4794438e51571e064b6668424ca24766
SHA2569ce52977fd1026a58e58d16e86e71e05cf43706f5f9d277c4a6f02dff8cafff0
SHA512f3147c8c3464436949f16a2120b24f634e337b528eae173c37adcd8b517fce759abc8999d78b45933e03a6945e9e338b02fe3ca31e63cab5a3bdc3b05c776280
-
MD5
f3b09515652f8187376d68c38a4b5ac6
SHA1709091bf4794438e51571e064b6668424ca24766
SHA2569ce52977fd1026a58e58d16e86e71e05cf43706f5f9d277c4a6f02dff8cafff0
SHA512f3147c8c3464436949f16a2120b24f634e337b528eae173c37adcd8b517fce759abc8999d78b45933e03a6945e9e338b02fe3ca31e63cab5a3bdc3b05c776280