Analysis
-
max time kernel
164s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:51
Static task
static1
Behavioral task
behavioral1
Sample
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe
Resource
win10v2004-en-20220113
General
-
Target
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe
-
Size
116KB
-
MD5
a6f6e36cd5fb690446a3f078bf84834b
-
SHA1
92e5d658cc9f24fb6773b93b857d4af54d14dbed
-
SHA256
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599
-
SHA512
dfd637e693e0aee6817cbaa47befeee813f46615e56ad9a6bc448f18abe4eeb2dcbc89befa37e27e1c6ee28f0e83136173a13feb2c3677eecddedd82701d0eb6
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4740-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/5036-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 5036 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3156 svchost.exe Token: SeCreatePagefilePrivilege 3156 svchost.exe Token: SeShutdownPrivilege 3156 svchost.exe Token: SeCreatePagefilePrivilege 3156 svchost.exe Token: SeShutdownPrivilege 3156 svchost.exe Token: SeCreatePagefilePrivilege 3156 svchost.exe Token: SeIncBasePriorityPrivilege 4740 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe Token: SeBackupPrivilege 4480 TiWorker.exe Token: SeRestorePrivilege 4480 TiWorker.exe Token: SeSecurityPrivilege 4480 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.execmd.exedescription pid process target process PID 4740 wrote to memory of 5036 4740 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe MediaCenter.exe PID 4740 wrote to memory of 5036 4740 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe MediaCenter.exe PID 4740 wrote to memory of 5036 4740 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe MediaCenter.exe PID 4740 wrote to memory of 2200 4740 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe cmd.exe PID 4740 wrote to memory of 2200 4740 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe cmd.exe PID 4740 wrote to memory of 2200 4740 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe cmd.exe PID 2200 wrote to memory of 2372 2200 cmd.exe PING.EXE PID 2200 wrote to memory of 2372 2200 cmd.exe PING.EXE PID 2200 wrote to memory of 2372 2200 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe"C:\Users\Admin\AppData\Local\Temp\14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
35dfcd16a1d241f1a54cc1e80cf94569
SHA1b6e0ad96e61282c43f59e496ba78cb732f2abe83
SHA256cdb1b36b55f293ee9e19ed041723fa904fc390216047c47401812e32e23371b0
SHA5125cab3281914e77350a50e21f3aabdb9d8dc77cf5b2dcb6f5b5d09604966bd0a2f2ca70782b4c58742f03450c82b7e675cd3341d722701a4ff143d1c09f4d2a28
-
MD5
35dfcd16a1d241f1a54cc1e80cf94569
SHA1b6e0ad96e61282c43f59e496ba78cb732f2abe83
SHA256cdb1b36b55f293ee9e19ed041723fa904fc390216047c47401812e32e23371b0
SHA5125cab3281914e77350a50e21f3aabdb9d8dc77cf5b2dcb6f5b5d09604966bd0a2f2ca70782b4c58742f03450c82b7e675cd3341d722701a4ff143d1c09f4d2a28