Analysis
-
max time kernel
158s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:57
Static task
static1
Behavioral task
behavioral1
Sample
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe
Resource
win10v2004-en-20220113
General
-
Target
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe
-
Size
89KB
-
MD5
dd24df840cd4e63c67a3717f554eb44e
-
SHA1
513e20711a13d4009fdf2e0b0935ea106fd76717
-
SHA256
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de
-
SHA512
3560545fe77c377d9149462e4fcd83c050b3b38f5a862ab5b177d60b33492af34633ec514d02b5e3a758568a38a238739532cca9eba55eff81b909f031ee1f29
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4924 svchost.exe Token: SeCreatePagefilePrivilege 4924 svchost.exe Token: SeShutdownPrivilege 4924 svchost.exe Token: SeCreatePagefilePrivilege 4924 svchost.exe Token: SeShutdownPrivilege 4924 svchost.exe Token: SeCreatePagefilePrivilege 4924 svchost.exe Token: SeIncBasePriorityPrivilege 1304 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.execmd.exedescription pid process target process PID 1304 wrote to memory of 1608 1304 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe MediaCenter.exe PID 1304 wrote to memory of 1608 1304 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe MediaCenter.exe PID 1304 wrote to memory of 1608 1304 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe MediaCenter.exe PID 1304 wrote to memory of 5036 1304 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe cmd.exe PID 1304 wrote to memory of 5036 1304 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe cmd.exe PID 1304 wrote to memory of 5036 1304 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe cmd.exe PID 5036 wrote to memory of 1400 5036 cmd.exe PING.EXE PID 5036 wrote to memory of 1400 5036 cmd.exe PING.EXE PID 5036 wrote to memory of 1400 5036 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe"C:\Users\Admin\AppData\Local\Temp\13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e8d999967ca4a964674e347a930639b6
SHA1568f0f37ad5e12da68f800058fa03757035c6bc7
SHA256622316db31b310e4093e6531c9802d88182aef925d43a0fbd2a32e2e2cfc753b
SHA51223cf20bf83737d4602b2636f548a55c7c7d70057533797b1efb23dd69527476918eca15cdfdd32908d06021e07316d1aa68878072f2d16f4c3254989c66288ed
-
MD5
e8d999967ca4a964674e347a930639b6
SHA1568f0f37ad5e12da68f800058fa03757035c6bc7
SHA256622316db31b310e4093e6531c9802d88182aef925d43a0fbd2a32e2e2cfc753b
SHA51223cf20bf83737d4602b2636f548a55c7c7d70057533797b1efb23dd69527476918eca15cdfdd32908d06021e07316d1aa68878072f2d16f4c3254989c66288ed