Analysis
-
max time kernel
155s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:57
Static task
static1
Behavioral task
behavioral1
Sample
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe
Resource
win10v2004-en-20220113
General
-
Target
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe
-
Size
188KB
-
MD5
bf2365b497a8e5eda567745049f341ac
-
SHA1
8f913e094412b0c8b7135c232b21e356bd1cc88d
-
SHA256
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef
-
SHA512
787ab8a7ed9e271e7e33a91b73c66fbd57a7508f8e89293696d8bbbaa1e166e5a45a1d0ce0ecb7ab9c86068b1c4556e24eee1da55ac7696ba3ddfa4cc4bfa65f
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3560-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1988-137-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1988 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4188 svchost.exe Token: SeCreatePagefilePrivilege 4188 svchost.exe Token: SeShutdownPrivilege 4188 svchost.exe Token: SeCreatePagefilePrivilege 4188 svchost.exe Token: SeShutdownPrivilege 4188 svchost.exe Token: SeCreatePagefilePrivilege 4188 svchost.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.execmd.exedescription pid process target process PID 3560 wrote to memory of 1988 3560 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe MediaCenter.exe PID 3560 wrote to memory of 1988 3560 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe MediaCenter.exe PID 3560 wrote to memory of 1988 3560 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe MediaCenter.exe PID 3560 wrote to memory of 1112 3560 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe cmd.exe PID 3560 wrote to memory of 1112 3560 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe cmd.exe PID 3560 wrote to memory of 1112 3560 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe cmd.exe PID 1112 wrote to memory of 4092 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 4092 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 4092 1112 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe"C:\Users\Admin\AppData\Local\Temp\13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
210b83febb6e85a5cd8b2b8fb3d1de9a
SHA174abff5327b1104a2edf4fc7c98569890ca8296f
SHA256b5158f877cf828019a339ce4eb9e94c2c09a89d76eb13160c9ba7ea4b6685946
SHA512548731573fd179f682550d188b94204d47011e0830df207400bca3ee50cbc7751e09fb0318f1e33ee84df10deb0bf920f605cd3dbfc178419e9a6ed3bc99a306
-
MD5
210b83febb6e85a5cd8b2b8fb3d1de9a
SHA174abff5327b1104a2edf4fc7c98569890ca8296f
SHA256b5158f877cf828019a339ce4eb9e94c2c09a89d76eb13160c9ba7ea4b6685946
SHA512548731573fd179f682550d188b94204d47011e0830df207400bca3ee50cbc7751e09fb0318f1e33ee84df10deb0bf920f605cd3dbfc178419e9a6ed3bc99a306