Analysis
-
max time kernel
157s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:28
Static task
static1
Behavioral task
behavioral1
Sample
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe
Resource
win10v2004-en-20220113
General
-
Target
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe
-
Size
216KB
-
MD5
39d3045114638a4e17be87f1976873c9
-
SHA1
2f0720836c0c67890e271a06fa9a8a808d23301c
-
SHA256
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce
-
SHA512
19b2e9da0f8d982a4179b2df41c4600459a1926e34606c4dc97e0fbd0c841672123286e6bfcd30cb1d1a597561f295e85cce266f60bcf08696c5fc10de3fef3a
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/5100-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1468-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1468 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 212 svchost.exe Token: SeCreatePagefilePrivilege 212 svchost.exe Token: SeShutdownPrivilege 212 svchost.exe Token: SeCreatePagefilePrivilege 212 svchost.exe Token: SeShutdownPrivilege 212 svchost.exe Token: SeCreatePagefilePrivilege 212 svchost.exe Token: SeIncBasePriorityPrivilege 5100 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe Token: SeBackupPrivilege 1752 TiWorker.exe Token: SeRestorePrivilege 1752 TiWorker.exe Token: SeSecurityPrivilege 1752 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.execmd.exedescription pid process target process PID 5100 wrote to memory of 1468 5100 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe MediaCenter.exe PID 5100 wrote to memory of 1468 5100 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe MediaCenter.exe PID 5100 wrote to memory of 1468 5100 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe MediaCenter.exe PID 5100 wrote to memory of 4308 5100 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe cmd.exe PID 5100 wrote to memory of 4308 5100 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe cmd.exe PID 5100 wrote to memory of 4308 5100 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe cmd.exe PID 4308 wrote to memory of 744 4308 cmd.exe PING.EXE PID 4308 wrote to memory of 744 4308 cmd.exe PING.EXE PID 4308 wrote to memory of 744 4308 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe"C:\Users\Admin\AppData\Local\Temp\0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:212
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1752
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2ba41163581bc8975006b68e146c41b2
SHA1567fc0b29e6b584f6e4631d5006be9b3773adac6
SHA256f615796c9b0a63330446554d87569f24e5bd8bae606b59d86fa5b6cd83bfedbb
SHA512042de876f1b435032e7bb614ff86a8ede1db19d6251782cdb87b57fe1f72cfd57c4212dfd94e9a93c40b4814e6fdcc358c1523bcad2f6f47c235ace5065bc63c
-
MD5
2ba41163581bc8975006b68e146c41b2
SHA1567fc0b29e6b584f6e4631d5006be9b3773adac6
SHA256f615796c9b0a63330446554d87569f24e5bd8bae606b59d86fa5b6cd83bfedbb
SHA512042de876f1b435032e7bb614ff86a8ede1db19d6251782cdb87b57fe1f72cfd57c4212dfd94e9a93c40b4814e6fdcc358c1523bcad2f6f47c235ace5065bc63c