Analysis
-
max time kernel
154s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:39
Static task
static1
Behavioral task
behavioral1
Sample
121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe
Resource
win10v2004-en-20220113
General
-
Target
121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe
-
Size
92KB
-
MD5
bf09cf6bd74d79861c97ea67d626bccc
-
SHA1
2f27c77e7ffaa47ed3ed3a92baf528544c894d58
-
SHA256
121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a
-
SHA512
f87a52476f1a2edefd0706980a6dad76138185b20ae3325f4ee1c38591b0213e4bbb6ddafdf1a457fb87ef4969c5b1c686b7e778768e217cf372053c11f51b7a
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1816 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3576 svchost.exe Token: SeCreatePagefilePrivilege 3576 svchost.exe Token: SeShutdownPrivilege 3576 svchost.exe Token: SeCreatePagefilePrivilege 3576 svchost.exe Token: SeShutdownPrivilege 3576 svchost.exe Token: SeCreatePagefilePrivilege 3576 svchost.exe Token: SeIncBasePriorityPrivilege 4800 121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe Token: SeBackupPrivilege 1228 TiWorker.exe Token: SeRestorePrivilege 1228 TiWorker.exe Token: SeSecurityPrivilege 1228 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.execmd.exedescription pid process target process PID 4800 wrote to memory of 1816 4800 121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe MediaCenter.exe PID 4800 wrote to memory of 1816 4800 121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe MediaCenter.exe PID 4800 wrote to memory of 1816 4800 121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe MediaCenter.exe PID 4800 wrote to memory of 1112 4800 121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe cmd.exe PID 4800 wrote to memory of 1112 4800 121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe cmd.exe PID 4800 wrote to memory of 1112 4800 121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe cmd.exe PID 1112 wrote to memory of 760 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 760 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 760 1112 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe"C:\Users\Admin\AppData\Local\Temp\121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\121d920a06c414e37ddd0030ab3e39a77aba5e7bf09426e9f1d1a283ea0ab15a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1228
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4d1f369a8549c6d770949107612e2df3
SHA14568cdc5473dffcbf8da55ba863eb251b7bacdd7
SHA2565286dab5d319397876e7a1159f212be445b262dbab5f1a770402da4f9c9ce33f
SHA5120d14fa98d98d207a756d70dff65612f7621672b0f36660b9cb2909e94a573ee4149e7f3f14b84f5108aca02ffe4c519f953281205e4c0b137d77a5ae18882e9d
-
MD5
4d1f369a8549c6d770949107612e2df3
SHA14568cdc5473dffcbf8da55ba863eb251b7bacdd7
SHA2565286dab5d319397876e7a1159f212be445b262dbab5f1a770402da4f9c9ce33f
SHA5120d14fa98d98d207a756d70dff65612f7621672b0f36660b9cb2909e94a573ee4149e7f3f14b84f5108aca02ffe4c519f953281205e4c0b137d77a5ae18882e9d