Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exe
Resource
win10v2004-en-20220113
General
-
Target
10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exe
-
Size
150KB
-
MD5
229b4e40ffdb56410526ae262e51cea2
-
SHA1
6256e0d1021a58b2c9b501e19df05446f5f5912c
-
SHA256
10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16
-
SHA512
6fb5725d1cfc15386e343d4a1f0cdd48490a6ce9b3587a598c0fa1a81a2fe7aa964f6610935eb741ad93bbf830518cf869a456d17321fa2198ef67a10e2a7250
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2580 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2528 svchost.exe Token: SeCreatePagefilePrivilege 2528 svchost.exe Token: SeShutdownPrivilege 2528 svchost.exe Token: SeCreatePagefilePrivilege 2528 svchost.exe Token: SeShutdownPrivilege 2528 svchost.exe Token: SeCreatePagefilePrivilege 2528 svchost.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe Token: SeRestorePrivilege 3564 TiWorker.exe Token: SeSecurityPrivilege 3564 TiWorker.exe Token: SeBackupPrivilege 3564 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.execmd.exedescription pid process target process PID 4728 wrote to memory of 2580 4728 10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exe MediaCenter.exe PID 4728 wrote to memory of 2580 4728 10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exe MediaCenter.exe PID 4728 wrote to memory of 2580 4728 10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exe MediaCenter.exe PID 4728 wrote to memory of 1208 4728 10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exe cmd.exe PID 4728 wrote to memory of 1208 4728 10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exe cmd.exe PID 4728 wrote to memory of 1208 4728 10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exe cmd.exe PID 1208 wrote to memory of 752 1208 cmd.exe PING.EXE PID 1208 wrote to memory of 752 1208 cmd.exe PING.EXE PID 1208 wrote to memory of 752 1208 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exe"C:\Users\Admin\AppData\Local\Temp\10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10364a70c6cb32beb24f4acff1a44f49bef7f6375da681788effbec877ed1c16.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3564
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c6a456e07c1ce50f0ed744325a3f04d6
SHA1ffec30e0b33217d3dad1be6b1a54f97bc99a724f
SHA256f376e07288097890f5ccba79e36b8cc9b941d0c9b16570c4eeb1f13efbbd769e
SHA5128f5739cddee9bc2c98b6da39fa3c8946900bfb3eaffe9cc2ae21bb6e8339998abeb1b9fdcd011cf8081b83c4347a15285771e02f2271dc7dacbefbf5b73f206f
-
MD5
c6a456e07c1ce50f0ed744325a3f04d6
SHA1ffec30e0b33217d3dad1be6b1a54f97bc99a724f
SHA256f376e07288097890f5ccba79e36b8cc9b941d0c9b16570c4eeb1f13efbbd769e
SHA5128f5739cddee9bc2c98b6da39fa3c8946900bfb3eaffe9cc2ae21bb6e8339998abeb1b9fdcd011cf8081b83c4347a15285771e02f2271dc7dacbefbf5b73f206f