Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:55
Static task
static1
Behavioral task
behavioral1
Sample
1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exe
Resource
win10v2004-en-20220113
General
-
Target
1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exe
-
Size
150KB
-
MD5
7eca297b1c118c8879aedd7db07baefa
-
SHA1
e11e51aab839440ff7c1fc8d5f7ab709267b1e6c
-
SHA256
1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c
-
SHA512
693c7249aa30103be91c7592db536eef61a75a2a330f9025d1de318f1b2fa035dd5527b7508733abeeac6bc236bf03c71fd6b6a79882353bedaf7cf61dcb1334
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 400 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4336 svchost.exe Token: SeCreatePagefilePrivilege 4336 svchost.exe Token: SeShutdownPrivilege 4336 svchost.exe Token: SeCreatePagefilePrivilege 4336 svchost.exe Token: SeShutdownPrivilege 4336 svchost.exe Token: SeCreatePagefilePrivilege 4336 svchost.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe Token: SeRestorePrivilege 3708 TiWorker.exe Token: SeSecurityPrivilege 3708 TiWorker.exe Token: SeBackupPrivilege 3708 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.execmd.exedescription pid process target process PID 3768 wrote to memory of 400 3768 1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exe MediaCenter.exe PID 3768 wrote to memory of 400 3768 1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exe MediaCenter.exe PID 3768 wrote to memory of 400 3768 1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exe MediaCenter.exe PID 3768 wrote to memory of 380 3768 1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exe cmd.exe PID 3768 wrote to memory of 380 3768 1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exe cmd.exe PID 3768 wrote to memory of 380 3768 1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exe cmd.exe PID 380 wrote to memory of 4180 380 cmd.exe PING.EXE PID 380 wrote to memory of 4180 380 cmd.exe PING.EXE PID 380 wrote to memory of 4180 380 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exe"C:\Users\Admin\AppData\Local\Temp\1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1407c4965f927c2b4259adf4bcde2aec9ecbdcfb448ba7e42970ad51db11a14c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3708
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cd9bf58249f5ca1ca52b1064abc4ee2d
SHA141cf4423862f47c98b73a87169ea5294cf877df6
SHA256c3f3b4b438b52e4e1791db2732347b4a7e6245a210383d90dac3b9ea8f6857d2
SHA5120db203e09041c758027b9f39d9c39f1f6449ed97b5b957ba836e67d088a17b1a3fdb1670e6737adf0b1df43a7ee660007917fe4c811948eed25e740046f58161
-
MD5
cd9bf58249f5ca1ca52b1064abc4ee2d
SHA141cf4423862f47c98b73a87169ea5294cf877df6
SHA256c3f3b4b438b52e4e1791db2732347b4a7e6245a210383d90dac3b9ea8f6857d2
SHA5120db203e09041c758027b9f39d9c39f1f6449ed97b5b957ba836e67d088a17b1a3fdb1670e6737adf0b1df43a7ee660007917fe4c811948eed25e740046f58161