Analysis
-
max time kernel
137s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:21
Static task
static1
Behavioral task
behavioral1
Sample
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe
Resource
win10v2004-en-20220113
General
-
Target
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe
-
Size
176KB
-
MD5
4c1c0a406d0a9883b049938bd23ee50e
-
SHA1
ed8895a0f2c77c7ae31a929e050ade56c2a38ea6
-
SHA256
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3
-
SHA512
c310df8088baa304cd257fb7f2017089bfbe9b40fff448679fe1a1b66a563a081c5fc57fd90570d9d4f9eb69520b9a2d252879d786db91ae7df3940967abfc0d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4300-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/312-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 312 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exedescription pid process Token: SeShutdownPrivilege 4252 svchost.exe Token: SeCreatePagefilePrivilege 4252 svchost.exe Token: SeShutdownPrivilege 4252 svchost.exe Token: SeCreatePagefilePrivilege 4252 svchost.exe Token: SeShutdownPrivilege 4252 svchost.exe Token: SeCreatePagefilePrivilege 4252 svchost.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeIncBasePriorityPrivilege 4300 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe Token: SeBackupPrivilege 4624 TiWorker.exe Token: SeRestorePrivilege 4624 TiWorker.exe Token: SeSecurityPrivilege 4624 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.execmd.exedescription pid process target process PID 4300 wrote to memory of 312 4300 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe MediaCenter.exe PID 4300 wrote to memory of 312 4300 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe MediaCenter.exe PID 4300 wrote to memory of 312 4300 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe MediaCenter.exe PID 4300 wrote to memory of 5048 4300 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe cmd.exe PID 4300 wrote to memory of 5048 4300 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe cmd.exe PID 4300 wrote to memory of 5048 4300 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe cmd.exe PID 5048 wrote to memory of 1276 5048 cmd.exe PING.EXE PID 5048 wrote to memory of 1276 5048 cmd.exe PING.EXE PID 5048 wrote to memory of 1276 5048 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe"C:\Users\Admin\AppData\Local\Temp\0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4624
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9b589ae482b627e0de61b37af0180608
SHA1577cd02e9c05db418e01685707b3ea62c444778b
SHA2567079fc35895b6d4b8a8d073c1f3f1e418a36519b697a4e34e7c565ccc7e96ace
SHA51243159f6e8778eadbce7153795e6a06375ad10559dfe6c72be27b1481f7efb51e851348bba832431c671a5091da6f8ddc346e1d6490d1f56978fb8f6b2794073e
-
MD5
9b589ae482b627e0de61b37af0180608
SHA1577cd02e9c05db418e01685707b3ea62c444778b
SHA2567079fc35895b6d4b8a8d073c1f3f1e418a36519b697a4e34e7c565ccc7e96ace
SHA51243159f6e8778eadbce7153795e6a06375ad10559dfe6c72be27b1481f7efb51e851348bba832431c671a5091da6f8ddc346e1d6490d1f56978fb8f6b2794073e