Analysis
-
max time kernel
155s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:57
Static task
static1
Behavioral task
behavioral1
Sample
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe
Resource
win10v2004-en-20220113
General
-
Target
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe
-
Size
92KB
-
MD5
99999f8f9ad28f802df2fa518cd3d0ad
-
SHA1
d872790eec0a76b201271e42d3f192039f67b617
-
SHA256
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f
-
SHA512
7249a115f2e95feb4606d4f2ee5c1b913364c6f7391cd352d5e75b11884b582754e38421efdd37b1bad38d53c0f28382adedebc0d4ab796ffa2463d8a8409c3e
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2024 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1512 svchost.exe Token: SeCreatePagefilePrivilege 1512 svchost.exe Token: SeShutdownPrivilege 1512 svchost.exe Token: SeCreatePagefilePrivilege 1512 svchost.exe Token: SeShutdownPrivilege 1512 svchost.exe Token: SeCreatePagefilePrivilege 1512 svchost.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe Token: SeRestorePrivilege 220 TiWorker.exe Token: SeSecurityPrivilege 220 TiWorker.exe Token: SeBackupPrivilege 220 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.execmd.exedescription pid process target process PID 820 wrote to memory of 2024 820 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe MediaCenter.exe PID 820 wrote to memory of 2024 820 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe MediaCenter.exe PID 820 wrote to memory of 2024 820 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe MediaCenter.exe PID 820 wrote to memory of 4348 820 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe cmd.exe PID 820 wrote to memory of 4348 820 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe cmd.exe PID 820 wrote to memory of 4348 820 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe cmd.exe PID 4348 wrote to memory of 4932 4348 cmd.exe PING.EXE PID 4348 wrote to memory of 4932 4348 cmd.exe PING.EXE PID 4348 wrote to memory of 4932 4348 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe"C:\Users\Admin\AppData\Local\Temp\13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:220
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8fb1ec40f01ef7dec4af2978f2e0ece2
SHA1f4ae8a91fbcd1b6beb0981099e0660de140abca2
SHA25651fc73dcb8341fd6c1467792e0e6c28ef86bf3f5096e4fb4f29ca4bd49b75f9e
SHA512d783b040f5a56bd50214f54d67b294936e6ec56e41ff6b05ec85bea64eef340bbd85764228413cc44415f96ad08c51b8163496a041c3876e4dea665dbaddec24
-
MD5
8fb1ec40f01ef7dec4af2978f2e0ece2
SHA1f4ae8a91fbcd1b6beb0981099e0660de140abca2
SHA25651fc73dcb8341fd6c1467792e0e6c28ef86bf3f5096e4fb4f29ca4bd49b75f9e
SHA512d783b040f5a56bd50214f54d67b294936e6ec56e41ff6b05ec85bea64eef340bbd85764228413cc44415f96ad08c51b8163496a041c3876e4dea665dbaddec24