Analysis
-
max time kernel
147s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:40
Static task
static1
Behavioral task
behavioral1
Sample
12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe
Resource
win10v2004-en-20220113
General
-
Target
12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe
-
Size
216KB
-
MD5
043e9bb2de0a8e5874ac8a0be95b3cdb
-
SHA1
cd4cef589d918afd1f5b1132e335ab3ae0fb6c72
-
SHA256
12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11
-
SHA512
2a3ce77364ee5bfed8f54bc3ce6db58649196b1274b7382aeff0570e94c7de93d409a2f617b096c52f903a4e16b936ff4edbf05613d6f8d5209bd03514eb7148
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4056-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/528-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 528 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 260 svchost.exe Token: SeCreatePagefilePrivilege 260 svchost.exe Token: SeShutdownPrivilege 260 svchost.exe Token: SeCreatePagefilePrivilege 260 svchost.exe Token: SeShutdownPrivilege 260 svchost.exe Token: SeCreatePagefilePrivilege 260 svchost.exe Token: SeIncBasePriorityPrivilege 4056 12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe Token: SeBackupPrivilege 2172 TiWorker.exe Token: SeRestorePrivilege 2172 TiWorker.exe Token: SeSecurityPrivilege 2172 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.execmd.exedescription pid process target process PID 4056 wrote to memory of 528 4056 12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe MediaCenter.exe PID 4056 wrote to memory of 528 4056 12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe MediaCenter.exe PID 4056 wrote to memory of 528 4056 12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe MediaCenter.exe PID 4056 wrote to memory of 4304 4056 12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe cmd.exe PID 4056 wrote to memory of 4304 4056 12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe cmd.exe PID 4056 wrote to memory of 4304 4056 12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe cmd.exe PID 4304 wrote to memory of 1836 4304 cmd.exe PING.EXE PID 4304 wrote to memory of 1836 4304 cmd.exe PING.EXE PID 4304 wrote to memory of 1836 4304 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe"C:\Users\Admin\AppData\Local\Temp\12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12061cae91a6da66e6ed6681bad04850f9dd99265a1f89786aeabed372f2cb11.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:260
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2172
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9692283069a7130b56adcbcd89ac084c
SHA138d7f001f6876f5d9eef0c35e2f3eadcf19c87eb
SHA2567f12438083411a008562539f2963fb868fce614f623d414cd4de7409e18d935a
SHA51279eab52e18b12704d931c48c9ff5143746edc34fc246fe321356b26f3f8ceb0bb37ea274fe960eff1a6f865cc13319891865b42947a54ec1835ca3a77423ede0
-
MD5
9692283069a7130b56adcbcd89ac084c
SHA138d7f001f6876f5d9eef0c35e2f3eadcf19c87eb
SHA2567f12438083411a008562539f2963fb868fce614f623d414cd4de7409e18d935a
SHA51279eab52e18b12704d931c48c9ff5143746edc34fc246fe321356b26f3f8ceb0bb37ea274fe960eff1a6f865cc13319891865b42947a54ec1835ca3a77423ede0