Analysis
-
max time kernel
161s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:06
Static task
static1
Behavioral task
behavioral1
Sample
0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe
Resource
win10v2004-en-20220113
General
-
Target
0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe
-
Size
89KB
-
MD5
60b4c74024f74be80f71f35a112422c3
-
SHA1
7c8d0d21c94b14a6557fdf4d576a596a76bc87c6
-
SHA256
0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347
-
SHA512
329cbc3bb5bef5e105a032a10dc961bffb1b87e42ebbc9d4f4eee43ab6e99c88199cdf49ea5f3222c7dbbb240e020b02f386e77dcfe2babe37a5dee3ff4c6063
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 380 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exedescription pid process Token: SeShutdownPrivilege 4228 svchost.exe Token: SeCreatePagefilePrivilege 4228 svchost.exe Token: SeShutdownPrivilege 4228 svchost.exe Token: SeCreatePagefilePrivilege 4228 svchost.exe Token: SeShutdownPrivilege 4228 svchost.exe Token: SeCreatePagefilePrivilege 4228 svchost.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeIncBasePriorityPrivilege 1576 0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe Token: SeBackupPrivilege 628 TiWorker.exe Token: SeRestorePrivilege 628 TiWorker.exe Token: SeSecurityPrivilege 628 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.execmd.exedescription pid process target process PID 1576 wrote to memory of 380 1576 0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe MediaCenter.exe PID 1576 wrote to memory of 380 1576 0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe MediaCenter.exe PID 1576 wrote to memory of 380 1576 0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe MediaCenter.exe PID 1576 wrote to memory of 1640 1576 0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe cmd.exe PID 1576 wrote to memory of 1640 1576 0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe cmd.exe PID 1576 wrote to memory of 1640 1576 0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe cmd.exe PID 1640 wrote to memory of 2108 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 2108 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 2108 1640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe"C:\Users\Admin\AppData\Local\Temp\0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e8874bbbb54fef542eae0dc132117ebdddfd42c12f948db49f5d73d295fc347.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5d1c5ca59a2947575eacd030f572c8cb
SHA17abd4140dc321b3ebf7295fcd223272e7d300f28
SHA256691a249711b7af9518f063853d6621e40daa07a56c8de2a01d7d89725837e542
SHA51245d4d51690c413c1b13221bcbe1c5280005716a0c0f356f48ce224a7913899b622fca1c686bcfa52063b3ced2e937a33bf6d4ee7d29f1923414b17cd3722a6e8
-
MD5
5d1c5ca59a2947575eacd030f572c8cb
SHA17abd4140dc321b3ebf7295fcd223272e7d300f28
SHA256691a249711b7af9518f063853d6621e40daa07a56c8de2a01d7d89725837e542
SHA51245d4d51690c413c1b13221bcbe1c5280005716a0c0f356f48ce224a7913899b622fca1c686bcfa52063b3ced2e937a33bf6d4ee7d29f1923414b17cd3722a6e8