Analysis
-
max time kernel
157s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:36
Static task
static1
Behavioral task
behavioral1
Sample
0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe
Resource
win10v2004-en-20220113
General
-
Target
0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe
-
Size
150KB
-
MD5
f5f5e009dc4f6390bbd693ad62452cc5
-
SHA1
3d0552d077f65050cfd5be8a2d39b15946a99e89
-
SHA256
0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f
-
SHA512
080800e39d7993b60a319f4312ec1cac48e0bd00a3c931e883b16e63932a0f474ba463a2828cd5be904a650ee24a1e00112a26ed09d8aa14eac56e9a102efc46
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1340 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4596 svchost.exe Token: SeCreatePagefilePrivilege 4596 svchost.exe Token: SeShutdownPrivilege 4596 svchost.exe Token: SeCreatePagefilePrivilege 4596 svchost.exe Token: SeShutdownPrivilege 4596 svchost.exe Token: SeCreatePagefilePrivilege 4596 svchost.exe Token: SeIncBasePriorityPrivilege 3560 0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe Token: SeBackupPrivilege 4016 TiWorker.exe Token: SeRestorePrivilege 4016 TiWorker.exe Token: SeSecurityPrivilege 4016 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.execmd.exedescription pid process target process PID 3560 wrote to memory of 1340 3560 0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe MediaCenter.exe PID 3560 wrote to memory of 1340 3560 0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe MediaCenter.exe PID 3560 wrote to memory of 1340 3560 0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe MediaCenter.exe PID 3560 wrote to memory of 952 3560 0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe cmd.exe PID 3560 wrote to memory of 952 3560 0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe cmd.exe PID 3560 wrote to memory of 952 3560 0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe cmd.exe PID 952 wrote to memory of 2992 952 cmd.exe PING.EXE PID 952 wrote to memory of 2992 952 cmd.exe PING.EXE PID 952 wrote to memory of 2992 952 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe"C:\Users\Admin\AppData\Local\Temp\0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f8b23b2d91e126a901bab15d45a879b3d23cca7831dc72f15444b1ab52f106f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c825bc879f2b839aebbf09c331996c9e
SHA1f80a6a5cf2476217bc0f45878a90ae5cd558a71e
SHA256ba3c8ebaef8245819a112f98186f73a84e60954af07d646a0654ec43868db090
SHA512d0cc4535ca0f44aa7917bd2f435ec83530ff352a78806ddf3d953067b4149b9d8f2766aa8150eca4919e7d300da80c7b87afa6d596b42bce660debf5525bf671
-
MD5
c825bc879f2b839aebbf09c331996c9e
SHA1f80a6a5cf2476217bc0f45878a90ae5cd558a71e
SHA256ba3c8ebaef8245819a112f98186f73a84e60954af07d646a0654ec43868db090
SHA512d0cc4535ca0f44aa7917bd2f435ec83530ff352a78806ddf3d953067b4149b9d8f2766aa8150eca4919e7d300da80c7b87afa6d596b42bce660debf5525bf671