Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:53
Static task
static1
Behavioral task
behavioral1
Sample
1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exe
Resource
win10v2004-en-20220113
General
-
Target
1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exe
-
Size
216KB
-
MD5
59fd038d2ba5068b6aa3a602d94f6df2
-
SHA1
1569756def3791fdbe2daf1157ad0f8229188429
-
SHA256
1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5
-
SHA512
41efe221e581fe6a986d75762604690dd7ead91ef0ed9c07f7dde6ea548a2cb58fb731a17601d3296a9c18442eb65c29d3c661baaeb737cbffbc66c7d58e44d6
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3512-138-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1288-139-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1288 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1280 svchost.exe Token: SeCreatePagefilePrivilege 1280 svchost.exe Token: SeShutdownPrivilege 1280 svchost.exe Token: SeCreatePagefilePrivilege 1280 svchost.exe Token: SeShutdownPrivilege 1280 svchost.exe Token: SeCreatePagefilePrivilege 1280 svchost.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe Token: SeRestorePrivilege 3364 TiWorker.exe Token: SeSecurityPrivilege 3364 TiWorker.exe Token: SeBackupPrivilege 3364 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.execmd.exedescription pid process target process PID 3512 wrote to memory of 1288 3512 1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exe MediaCenter.exe PID 3512 wrote to memory of 1288 3512 1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exe MediaCenter.exe PID 3512 wrote to memory of 1288 3512 1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exe MediaCenter.exe PID 3512 wrote to memory of 2384 3512 1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exe cmd.exe PID 3512 wrote to memory of 2384 3512 1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exe cmd.exe PID 3512 wrote to memory of 2384 3512 1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exe cmd.exe PID 2384 wrote to memory of 1140 2384 cmd.exe PING.EXE PID 2384 wrote to memory of 1140 2384 cmd.exe PING.EXE PID 2384 wrote to memory of 1140 2384 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exe"C:\Users\Admin\AppData\Local\Temp\1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1420c020a603db3b378ea35e840956b37fb18711741587975a40eb03fe6463a5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
993ef108d1bba84f39efbdf77c5c939c
SHA15d84d040a84b609064e1a8792cd64d37ea092dd0
SHA2568315f1bcef55098a5607770391797b5a493b7dd16ac9f07924fcb21ad6709cd3
SHA5126c3ba29c9e10c0b98cb68bf2e8a8ab523afa01a07a15a17cb6ffa13817e110a97edd0e5aa471c68e34c7852b99da7ac6e7e46cab0a21d26d6f0d6deb4e71fb06
-
MD5
993ef108d1bba84f39efbdf77c5c939c
SHA15d84d040a84b609064e1a8792cd64d37ea092dd0
SHA2568315f1bcef55098a5607770391797b5a493b7dd16ac9f07924fcb21ad6709cd3
SHA5126c3ba29c9e10c0b98cb68bf2e8a8ab523afa01a07a15a17cb6ffa13817e110a97edd0e5aa471c68e34c7852b99da7ac6e7e46cab0a21d26d6f0d6deb4e71fb06