Analysis
-
max time kernel
143s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:20
Static task
static1
Behavioral task
behavioral1
Sample
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe
Resource
win10v2004-en-20220113
General
-
Target
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe
-
Size
216KB
-
MD5
8c8d92397e5d19d85d32268c9f28c7dc
-
SHA1
a0f4c4835cf136965acbd517b4353c7f7f2f652d
-
SHA256
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906
-
SHA512
a6aa8e556bff5c25b864d3d4bfc9e63ca9c2b303de57f55334b152ba87e0711813d155457cc437bbd1c05ba2f4709c698bfa394fdd9d959ff9554213c2c457bd
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2528-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/2328-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2328 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4856 svchost.exe Token: SeCreatePagefilePrivilege 4856 svchost.exe Token: SeShutdownPrivilege 4856 svchost.exe Token: SeCreatePagefilePrivilege 4856 svchost.exe Token: SeShutdownPrivilege 4856 svchost.exe Token: SeCreatePagefilePrivilege 4856 svchost.exe Token: SeIncBasePriorityPrivilege 2528 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe Token: SeBackupPrivilege 1472 TiWorker.exe Token: SeRestorePrivilege 1472 TiWorker.exe Token: SeSecurityPrivilege 1472 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.execmd.exedescription pid process target process PID 2528 wrote to memory of 2328 2528 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe MediaCenter.exe PID 2528 wrote to memory of 2328 2528 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe MediaCenter.exe PID 2528 wrote to memory of 2328 2528 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe MediaCenter.exe PID 2528 wrote to memory of 3080 2528 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe cmd.exe PID 2528 wrote to memory of 3080 2528 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe cmd.exe PID 2528 wrote to memory of 3080 2528 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe cmd.exe PID 3080 wrote to memory of 4024 3080 cmd.exe PING.EXE PID 3080 wrote to memory of 4024 3080 cmd.exe PING.EXE PID 3080 wrote to memory of 4024 3080 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe"C:\Users\Admin\AppData\Local\Temp\1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1472
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1bfafef14b0ff4cceff82c200044aa9c
SHA1a74c35bacd2091f5b8afe372642f89db3f8919ce
SHA2568a6fbf818e9d4f0cc1dd94c8e991df065f612c0af9471907d380768d0ac7e2a5
SHA512b0541909c300112c344b0162d482b0c953d38c2da6d9147bc764145e8a8fcf0b8b21ded1ed4912ea200739cc68262ee499c02c16a68e74fd72a19d758ec32410
-
MD5
1bfafef14b0ff4cceff82c200044aa9c
SHA1a74c35bacd2091f5b8afe372642f89db3f8919ce
SHA2568a6fbf818e9d4f0cc1dd94c8e991df065f612c0af9471907d380768d0ac7e2a5
SHA512b0541909c300112c344b0162d482b0c953d38c2da6d9147bc764145e8a8fcf0b8b21ded1ed4912ea200739cc68262ee499c02c16a68e74fd72a19d758ec32410