Analysis
-
max time kernel
158s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:11
Static task
static1
Behavioral task
behavioral1
Sample
0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe
Resource
win10v2004-en-20220113
General
-
Target
0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe
-
Size
152KB
-
MD5
e5e45e84d15f23f0f9a575ca0d8f381d
-
SHA1
6600e33c53613d2a41791088ae35376a70e830ff
-
SHA256
0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357
-
SHA512
e0bc1d1382ff998cb95811cc02feb2370c816975b6e8185a79560047a09c3990af088fc7acf4063c3b4f21eb12248dec247a0fa3588d44580db9058039fd7a2d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1804 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4416 svchost.exe Token: SeCreatePagefilePrivilege 4416 svchost.exe Token: SeShutdownPrivilege 4416 svchost.exe Token: SeCreatePagefilePrivilege 4416 svchost.exe Token: SeShutdownPrivilege 4416 svchost.exe Token: SeCreatePagefilePrivilege 4416 svchost.exe Token: SeIncBasePriorityPrivilege 1608 0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.execmd.exedescription pid process target process PID 1608 wrote to memory of 1804 1608 0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe MediaCenter.exe PID 1608 wrote to memory of 1804 1608 0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe MediaCenter.exe PID 1608 wrote to memory of 1804 1608 0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe MediaCenter.exe PID 1608 wrote to memory of 3212 1608 0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe cmd.exe PID 1608 wrote to memory of 3212 1608 0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe cmd.exe PID 1608 wrote to memory of 3212 1608 0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe cmd.exe PID 3212 wrote to memory of 4432 3212 cmd.exe PING.EXE PID 3212 wrote to memory of 4432 3212 cmd.exe PING.EXE PID 3212 wrote to memory of 4432 3212 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe"C:\Users\Admin\AppData\Local\Temp\0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b8643145610bad535f54946e86f7425b33fa433ecb6d14f33682abab6ef6357.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
91465fb386aad7497bd866619d1f7263
SHA16fb6e83087c0cf4039e8cc7e7a5ca488b9596184
SHA2567f69c25915432ec9584678ccc1b7eb7b4558d909322c2b4956f69ae1101ad82f
SHA51234aa733b890cd91ad3e925ddedf6e72259325e31428f1dcfd4df2feebe31e5399e1aeb74f3434cae7077c4db4b58c2064ee65136153fa01898f1a65d3714f723
-
MD5
91465fb386aad7497bd866619d1f7263
SHA16fb6e83087c0cf4039e8cc7e7a5ca488b9596184
SHA2567f69c25915432ec9584678ccc1b7eb7b4558d909322c2b4956f69ae1101ad82f
SHA51234aa733b890cd91ad3e925ddedf6e72259325e31428f1dcfd4df2feebe31e5399e1aeb74f3434cae7077c4db4b58c2064ee65136153fa01898f1a65d3714f723