Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:33
Static task
static1
Behavioral task
behavioral1
Sample
125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe
Resource
win10v2004-en-20220113
General
-
Target
125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe
-
Size
89KB
-
MD5
d667ac4baa8d2110bffaab9890e28dd5
-
SHA1
b6757cc8a1eb6b5e3a9b0c732cdfc71ae64510d7
-
SHA256
125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe
-
SHA512
205cba6bc827879ef88b259b9314febf772fdcb26279d0277251529ef84774c6123d255b5b223b0f6267042dcf9c44b408610270e2e2a22b8ed8338e355d119f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1460 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exedescription pid process Token: SeShutdownPrivilege 4520 svchost.exe Token: SeCreatePagefilePrivilege 4520 svchost.exe Token: SeShutdownPrivilege 4520 svchost.exe Token: SeCreatePagefilePrivilege 4520 svchost.exe Token: SeShutdownPrivilege 4520 svchost.exe Token: SeCreatePagefilePrivilege 4520 svchost.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeIncBasePriorityPrivilege 3636 125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe Token: SeBackupPrivilege 2784 TiWorker.exe Token: SeRestorePrivilege 2784 TiWorker.exe Token: SeSecurityPrivilege 2784 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.execmd.exedescription pid process target process PID 3636 wrote to memory of 1460 3636 125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe MediaCenter.exe PID 3636 wrote to memory of 1460 3636 125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe MediaCenter.exe PID 3636 wrote to memory of 1460 3636 125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe MediaCenter.exe PID 3636 wrote to memory of 2280 3636 125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe cmd.exe PID 3636 wrote to memory of 2280 3636 125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe cmd.exe PID 3636 wrote to memory of 2280 3636 125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe cmd.exe PID 2280 wrote to memory of 4836 2280 cmd.exe PING.EXE PID 2280 wrote to memory of 4836 2280 cmd.exe PING.EXE PID 2280 wrote to memory of 4836 2280 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe"C:\Users\Admin\AppData\Local\Temp\125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\125e1ca374935deaf640086f898de38dcb439e9526916fd7a4c1985916337cbe.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2204d6db18c0cc8b10b8cf5a04388233
SHA19864f220cc87c671c6dd89ad36e1b5c24aa30acd
SHA2564bd1b5513377153894b8fc1a15545e7462384ec5f254e386a8cd283c7c9a9c0c
SHA512164c4d1bebd77e8e60d98ee53e18307d63944c56cf6270f7dcd91b990a786c74095979ad23054f8de559c6094264b75de91de6722178e9055e1610b17867d615
-
MD5
2204d6db18c0cc8b10b8cf5a04388233
SHA19864f220cc87c671c6dd89ad36e1b5c24aa30acd
SHA2564bd1b5513377153894b8fc1a15545e7462384ec5f254e386a8cd283c7c9a9c0c
SHA512164c4d1bebd77e8e60d98ee53e18307d63944c56cf6270f7dcd91b990a786c74095979ad23054f8de559c6094264b75de91de6722178e9055e1610b17867d615