Analysis
-
max time kernel
144s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:16
Static task
static1
Behavioral task
behavioral1
Sample
0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe
Resource
win10v2004-en-20220113
General
-
Target
0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe
-
Size
150KB
-
MD5
457471da7b1a95bcdcfed0a30a642ca7
-
SHA1
618a8667483c24b0651403a0fad333a41684449a
-
SHA256
0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e
-
SHA512
9bdebf57bf39d26dbff4b85c42fd378109073d2527ca8b92c5f3c346213a895a733945cde6f7e192d92b836f0623d95df179a825295fafd6c08b37c22719f28a
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4120 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3572 svchost.exe Token: SeCreatePagefilePrivilege 3572 svchost.exe Token: SeShutdownPrivilege 3572 svchost.exe Token: SeCreatePagefilePrivilege 3572 svchost.exe Token: SeShutdownPrivilege 3572 svchost.exe Token: SeCreatePagefilePrivilege 3572 svchost.exe Token: SeIncBasePriorityPrivilege 4040 0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.execmd.exedescription pid process target process PID 4040 wrote to memory of 4120 4040 0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe MediaCenter.exe PID 4040 wrote to memory of 4120 4040 0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe MediaCenter.exe PID 4040 wrote to memory of 4120 4040 0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe MediaCenter.exe PID 4040 wrote to memory of 4712 4040 0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe cmd.exe PID 4040 wrote to memory of 4712 4040 0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe cmd.exe PID 4040 wrote to memory of 4712 4040 0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe cmd.exe PID 4712 wrote to memory of 4296 4712 cmd.exe PING.EXE PID 4712 wrote to memory of 4296 4712 cmd.exe PING.EXE PID 4712 wrote to memory of 4296 4712 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe"C:\Users\Admin\AppData\Local\Temp\0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e1691734b876b2189e2e762628cced2be4b4e2bcfc067e0d8219ea545040e9e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
719c905c86667b8a8f6ad6a5a69282bc
SHA12af8a8630725f2a238f1804d2ac57e56113ad24a
SHA2561c13525e3df352dc8e7f65d0bff7d5c650ca3a692236970b92f67bf343509726
SHA5127d94c30877d3aaf36ff0948e0954e1caf0e8e5afd6f24f94793ede50678ecf383292536844e2e807d070faf6f115471a246457e40cb88bc686a8a6c23256c1fd
-
MD5
719c905c86667b8a8f6ad6a5a69282bc
SHA12af8a8630725f2a238f1804d2ac57e56113ad24a
SHA2561c13525e3df352dc8e7f65d0bff7d5c650ca3a692236970b92f67bf343509726
SHA5127d94c30877d3aaf36ff0948e0954e1caf0e8e5afd6f24f94793ede50678ecf383292536844e2e807d070faf6f115471a246457e40cb88bc686a8a6c23256c1fd