Analysis
-
max time kernel
159s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:47
Static task
static1
Behavioral task
behavioral1
Sample
11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe
Resource
win10v2004-en-20220113
General
-
Target
11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe
-
Size
150KB
-
MD5
519226f18eae27ceafd3b8122a3e8684
-
SHA1
4b2ec37b7d1d57d08e566f39573f13dff75c342a
-
SHA256
11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd
-
SHA512
cd13068f3191a9740bbc80a0e5a06c60131c29eeb2e6b97370d181157911e59a908190be752ffe6e9638ddd94ed1bcb19c340d3a9ef77f8ddd2c7e133f7610a5
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4044 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exedescription pid process Token: SeShutdownPrivilege 1644 svchost.exe Token: SeCreatePagefilePrivilege 1644 svchost.exe Token: SeShutdownPrivilege 1644 svchost.exe Token: SeCreatePagefilePrivilege 1644 svchost.exe Token: SeShutdownPrivilege 1644 svchost.exe Token: SeCreatePagefilePrivilege 1644 svchost.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeIncBasePriorityPrivilege 2072 11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe Token: SeBackupPrivilege 2992 TiWorker.exe Token: SeRestorePrivilege 2992 TiWorker.exe Token: SeSecurityPrivilege 2992 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.execmd.exedescription pid process target process PID 2072 wrote to memory of 4044 2072 11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe MediaCenter.exe PID 2072 wrote to memory of 4044 2072 11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe MediaCenter.exe PID 2072 wrote to memory of 4044 2072 11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe MediaCenter.exe PID 2072 wrote to memory of 3572 2072 11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe cmd.exe PID 2072 wrote to memory of 3572 2072 11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe cmd.exe PID 2072 wrote to memory of 3572 2072 11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe cmd.exe PID 3572 wrote to memory of 3580 3572 cmd.exe PING.EXE PID 3572 wrote to memory of 3580 3572 cmd.exe PING.EXE PID 3572 wrote to memory of 3580 3572 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe"C:\Users\Admin\AppData\Local\Temp\11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11bb18c7fba949d28e1b0cfb82bf211e7dadaea08c226fe51f5ac91519ab21dd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
582057bc71a45239c74f9224372ebaed
SHA1ab184bca05787b71e5403f0a0f47c7381860b63c
SHA256f222e5f2cca37cac3e5289590a8ab97e24fbe74c5684f11929408d5a8afaba50
SHA5127900bf15f436494723ed8e205b37fb9a77f9e53dfc854f11aab09e080bd2c38ef9388975305d25548162ddda5b614d2ab19adc66444679a0ed8932aeed708c3c
-
MD5
582057bc71a45239c74f9224372ebaed
SHA1ab184bca05787b71e5403f0a0f47c7381860b63c
SHA256f222e5f2cca37cac3e5289590a8ab97e24fbe74c5684f11929408d5a8afaba50
SHA5127900bf15f436494723ed8e205b37fb9a77f9e53dfc854f11aab09e080bd2c38ef9388975305d25548162ddda5b614d2ab19adc66444679a0ed8932aeed708c3c