Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:21
Static task
static1
Behavioral task
behavioral1
Sample
12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe
Resource
win10v2004-en-20220113
General
-
Target
12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe
-
Size
150KB
-
MD5
99aced64a2b692ee854b5e015f177fcd
-
SHA1
c32b6efcc09450bdb781082714a58f2d3deca78c
-
SHA256
12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1
-
SHA512
6ab54709c3e0e7a9ed23f0f3491ebab8e52650ac650097fd7323570eb69ee40de88cab521a3fb7cd32a63eeec94e401e0197657c63716c71abf12fb9bde8042f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4508 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4504 12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe Token: SeShutdownPrivilege 3564 svchost.exe Token: SeCreatePagefilePrivilege 3564 svchost.exe Token: SeShutdownPrivilege 3564 svchost.exe Token: SeCreatePagefilePrivilege 3564 svchost.exe Token: SeShutdownPrivilege 3564 svchost.exe Token: SeCreatePagefilePrivilege 3564 svchost.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.execmd.exedescription pid process target process PID 4504 wrote to memory of 4508 4504 12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe MediaCenter.exe PID 4504 wrote to memory of 4508 4504 12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe MediaCenter.exe PID 4504 wrote to memory of 4508 4504 12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe MediaCenter.exe PID 4504 wrote to memory of 812 4504 12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe cmd.exe PID 4504 wrote to memory of 812 4504 12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe cmd.exe PID 4504 wrote to memory of 812 4504 12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe cmd.exe PID 812 wrote to memory of 2324 812 cmd.exe PING.EXE PID 812 wrote to memory of 2324 812 cmd.exe PING.EXE PID 812 wrote to memory of 2324 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe"C:\Users\Admin\AppData\Local\Temp\12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12fb0a64c8841c5f642dc2a8170de9b681c3a62d2a82f47f6e2f49815809b0c1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2372
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fa894339c2bdc422d3bfe488a70cf1bb
SHA10128b2e86dd99fdb9165183826ce1aa7be99ae0e
SHA256cc13b6957bdd6ac9ae65f037f2e2604e2bcad8f2ed4b52772323aff6193a587f
SHA5127e3b54d24b0e83061037be29f272545de7e73cc01c5a4af5c1e39cc494b22c199c19b65d99f0d0e8c1e06bafe287c70a2bdd4c2d07dbe07d9666072928c8f63b
-
MD5
fa894339c2bdc422d3bfe488a70cf1bb
SHA10128b2e86dd99fdb9165183826ce1aa7be99ae0e
SHA256cc13b6957bdd6ac9ae65f037f2e2604e2bcad8f2ed4b52772323aff6193a587f
SHA5127e3b54d24b0e83061037be29f272545de7e73cc01c5a4af5c1e39cc494b22c199c19b65d99f0d0e8c1e06bafe287c70a2bdd4c2d07dbe07d9666072928c8f63b