Analysis
-
max time kernel
145s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:46
Static task
static1
Behavioral task
behavioral1
Sample
11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe
Resource
win10v2004-en-20220113
General
-
Target
11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe
-
Size
150KB
-
MD5
cf3849381d7080ca44df7a1ddaef5046
-
SHA1
610a66dcac6138fe8973c1cb472411e3af1560a9
-
SHA256
11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72
-
SHA512
33aec56edac22712074c46de8c176e13706c887640110503e04973447c0f62be081853344d3ae7aa9dc6529b9ff68bb7f0eaf0a924dbfaffb358c34357c902e2
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1832 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1468 svchost.exe Token: SeCreatePagefilePrivilege 1468 svchost.exe Token: SeShutdownPrivilege 1468 svchost.exe Token: SeCreatePagefilePrivilege 1468 svchost.exe Token: SeShutdownPrivilege 1468 svchost.exe Token: SeCreatePagefilePrivilege 1468 svchost.exe Token: SeIncBasePriorityPrivilege 1336 11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe Token: SeBackupPrivilege 2020 TiWorker.exe Token: SeRestorePrivilege 2020 TiWorker.exe Token: SeSecurityPrivilege 2020 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.execmd.exedescription pid process target process PID 1336 wrote to memory of 1832 1336 11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe MediaCenter.exe PID 1336 wrote to memory of 1832 1336 11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe MediaCenter.exe PID 1336 wrote to memory of 1832 1336 11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe MediaCenter.exe PID 1336 wrote to memory of 3048 1336 11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe cmd.exe PID 1336 wrote to memory of 3048 1336 11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe cmd.exe PID 1336 wrote to memory of 3048 1336 11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe cmd.exe PID 3048 wrote to memory of 1272 3048 cmd.exe PING.EXE PID 3048 wrote to memory of 1272 3048 cmd.exe PING.EXE PID 3048 wrote to memory of 1272 3048 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe"C:\Users\Admin\AppData\Local\Temp\11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11bb6eeddf1fd3a1862deeda316a5bb5dcd9b219efb3cf8a4c73d62ced0d4b72.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6034b7781d72ee9847b6d16158120451
SHA1d778fb170d2dda19d65b1a18d6bfa635c389d2ae
SHA256b57a815385330045a138f3c3603c58de831f09d25f374cc9957bbf05b96a784d
SHA5121c17164253d33796c0c6ee3d9c4aeed808b4dd1e8f60a165b7c5425579d72539cde7b8ca028b65d7cee88c3f521425ac2a939c6efc96c3c9cc4f9e33a07697da
-
MD5
6034b7781d72ee9847b6d16158120451
SHA1d778fb170d2dda19d65b1a18d6bfa635c389d2ae
SHA256b57a815385330045a138f3c3603c58de831f09d25f374cc9957bbf05b96a784d
SHA5121c17164253d33796c0c6ee3d9c4aeed808b4dd1e8f60a165b7c5425579d72539cde7b8ca028b65d7cee88c3f521425ac2a939c6efc96c3c9cc4f9e33a07697da