Analysis
-
max time kernel
162s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe
Resource
win10v2004-en-20220113
General
-
Target
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe
-
Size
150KB
-
MD5
258be498df76a8a9ee6e3ab283622ecf
-
SHA1
b90d29738d9f9e62a9505cc57996fe9bedfa98b0
-
SHA256
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e
-
SHA512
b764565725db1c120ebbb2186a6c0bf6024b8781e7cef93d3189a8078790d2f12267fbc47bfd9739caf409cdd0b7664023af7bead97dbdecb3939cec923b7fa8
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 368 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 360 svchost.exe Token: SeCreatePagefilePrivilege 360 svchost.exe Token: SeShutdownPrivilege 360 svchost.exe Token: SeCreatePagefilePrivilege 360 svchost.exe Token: SeShutdownPrivilege 360 svchost.exe Token: SeCreatePagefilePrivilege 360 svchost.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.execmd.exedescription pid process target process PID 3488 wrote to memory of 368 3488 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe MediaCenter.exe PID 3488 wrote to memory of 368 3488 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe MediaCenter.exe PID 3488 wrote to memory of 368 3488 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe MediaCenter.exe PID 3488 wrote to memory of 3984 3488 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe cmd.exe PID 3488 wrote to memory of 3984 3488 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe cmd.exe PID 3488 wrote to memory of 3984 3488 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe cmd.exe PID 3984 wrote to memory of 3204 3984 cmd.exe PING.EXE PID 3984 wrote to memory of 3204 3984 cmd.exe PING.EXE PID 3984 wrote to memory of 3204 3984 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe"C:\Users\Admin\AppData\Local\Temp\103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3204
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:360
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f5d3ca38f164d5b5e152b2c6fdc3cb75
SHA154453d67ffe86af73f914d1bc344acd9cd735447
SHA256cd8ccc9eabd20a3cf895d44516ac18a3e3e0da9c9ddc8e70f633f1baf3930793
SHA51252544d87600af4214f24a96496daf8fefbb97e9c3e120a878480f2ba08965872a69fea7802aca04dda5262bf07103411fbb34bc9a67bad184db0ccd4bb158137
-
MD5
f5d3ca38f164d5b5e152b2c6fdc3cb75
SHA154453d67ffe86af73f914d1bc344acd9cd735447
SHA256cd8ccc9eabd20a3cf895d44516ac18a3e3e0da9c9ddc8e70f633f1baf3930793
SHA51252544d87600af4214f24a96496daf8fefbb97e9c3e120a878480f2ba08965872a69fea7802aca04dda5262bf07103411fbb34bc9a67bad184db0ccd4bb158137