Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:43
Static task
static1
Behavioral task
behavioral1
Sample
11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe
Resource
win10v2004-en-20220113
General
-
Target
11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe
-
Size
150KB
-
MD5
cb8835e69dffa5cfc4140c17796e790b
-
SHA1
f62fad8861e1939996e599c144055cc2d51a04a1
-
SHA256
11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0
-
SHA512
1f145ed54998a87d68da6c246707a52ea3a8b3ad13f67c0de066a0ba6530f174f09e68f16d8925e5b41abc13fdd2cec9c6ae8ac6fdfb724a930e084759315539
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3124 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exedescription pid process Token: SeShutdownPrivilege 3064 svchost.exe Token: SeCreatePagefilePrivilege 3064 svchost.exe Token: SeShutdownPrivilege 3064 svchost.exe Token: SeCreatePagefilePrivilege 3064 svchost.exe Token: SeShutdownPrivilege 3064 svchost.exe Token: SeCreatePagefilePrivilege 3064 svchost.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeIncBasePriorityPrivilege 1016 11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe Token: SeBackupPrivilege 1796 TiWorker.exe Token: SeRestorePrivilege 1796 TiWorker.exe Token: SeSecurityPrivilege 1796 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.execmd.exedescription pid process target process PID 1016 wrote to memory of 3124 1016 11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe MediaCenter.exe PID 1016 wrote to memory of 3124 1016 11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe MediaCenter.exe PID 1016 wrote to memory of 3124 1016 11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe MediaCenter.exe PID 1016 wrote to memory of 4304 1016 11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe cmd.exe PID 1016 wrote to memory of 4304 1016 11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe cmd.exe PID 1016 wrote to memory of 4304 1016 11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe cmd.exe PID 4304 wrote to memory of 3476 4304 cmd.exe PING.EXE PID 4304 wrote to memory of 3476 4304 cmd.exe PING.EXE PID 4304 wrote to memory of 3476 4304 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe"C:\Users\Admin\AppData\Local\Temp\11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11de8b40274f344f706324363fb7c20a47d9a59a4e7f97559eb95daf3a5da9a0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b8e6c532783a993caa1f398a2cb1c68f
SHA18188b9a34015a07a376f4d92ac7d4023a1fd1d05
SHA25622efa1646410b7cc2f2145c12e36e30c518be7cbef1c30b8bfbf7dc7ecf7440b
SHA5124ad061ffede1c4a1c3a7800478a3fc72c97be9df3ef8811683f76dc815fc7da582e5f7a2fc3110519c391d7688e8d3cc6d1cdc9e71b25f7f98a09893127754cd
-
MD5
b8e6c532783a993caa1f398a2cb1c68f
SHA18188b9a34015a07a376f4d92ac7d4023a1fd1d05
SHA25622efa1646410b7cc2f2145c12e36e30c518be7cbef1c30b8bfbf7dc7ecf7440b
SHA5124ad061ffede1c4a1c3a7800478a3fc72c97be9df3ef8811683f76dc815fc7da582e5f7a2fc3110519c391d7688e8d3cc6d1cdc9e71b25f7f98a09893127754cd