Analysis
-
max time kernel
165s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:27
Static task
static1
Behavioral task
behavioral1
Sample
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe
Resource
win10v2004-en-20220113
General
-
Target
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe
-
Size
216KB
-
MD5
39d5f725284d06a60a5efc77be8c17ee
-
SHA1
a493aec501a3d0e45fc625f6d230f82e2e26b4bb
-
SHA256
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885
-
SHA512
13b7c3eea0733a7e5b1ce93846f0651c49264eab51d5094f7a3a88ca1e5cdf34d026613e6aef191d759e9002db47ff1c285058662107f9ca12f693d442bdfaef
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4960-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4620-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4620 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3316 svchost.exe Token: SeCreatePagefilePrivilege 3316 svchost.exe Token: SeShutdownPrivilege 3316 svchost.exe Token: SeCreatePagefilePrivilege 3316 svchost.exe Token: SeShutdownPrivilege 3316 svchost.exe Token: SeCreatePagefilePrivilege 3316 svchost.exe Token: SeIncBasePriorityPrivilege 4960 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe Token: SeBackupPrivilege 4024 TiWorker.exe Token: SeRestorePrivilege 4024 TiWorker.exe Token: SeSecurityPrivilege 4024 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.execmd.exedescription pid process target process PID 4960 wrote to memory of 4620 4960 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe MediaCenter.exe PID 4960 wrote to memory of 4620 4960 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe MediaCenter.exe PID 4960 wrote to memory of 4620 4960 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe MediaCenter.exe PID 4960 wrote to memory of 2428 4960 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe cmd.exe PID 4960 wrote to memory of 2428 4960 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe cmd.exe PID 4960 wrote to memory of 2428 4960 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe cmd.exe PID 2428 wrote to memory of 2312 2428 cmd.exe PING.EXE PID 2428 wrote to memory of 2312 2428 cmd.exe PING.EXE PID 2428 wrote to memory of 2312 2428 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe"C:\Users\Admin\AppData\Local\Temp\0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3316
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
80e034bd43aa389e0097981843c9ea3d
SHA1eef67de77b920d4676357f788fb997e718ed4b30
SHA2567a411d678484db74df899caada75f2ae66af37dd9b6d6df2f703fde5b8074d13
SHA512e366c0eb783629e2fca22e01610eee8f642be80e4b4fdb76eb1f9938d9133e2c2d8466b2e6b94a680d8b09454c7e82248acc0336a8f4c6e3e52372bdbe0da40d
-
MD5
80e034bd43aa389e0097981843c9ea3d
SHA1eef67de77b920d4676357f788fb997e718ed4b30
SHA2567a411d678484db74df899caada75f2ae66af37dd9b6d6df2f703fde5b8074d13
SHA512e366c0eb783629e2fca22e01610eee8f642be80e4b4fdb76eb1f9938d9133e2c2d8466b2e6b94a680d8b09454c7e82248acc0336a8f4c6e3e52372bdbe0da40d