Analysis
-
max time kernel
157s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:35
Static task
static1
Behavioral task
behavioral1
Sample
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe
Resource
win10v2004-en-20220113
General
-
Target
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe
-
Size
216KB
-
MD5
737e53d8495c4dd62b39ca9e7ea717f0
-
SHA1
16b0d49e84b5c5bf5d067c5434f234ba7bacef5d
-
SHA256
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57
-
SHA512
93ad7cd333fad3edc398506ce02bd3994553450dbdd2758730cfcdbc3201fb1212dee16caef22333d5ba1fd04dc7c11dc5564182badf7599ced42efa3b1abcc6
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3216-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/3468-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3468 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3356 svchost.exe Token: SeCreatePagefilePrivilege 3356 svchost.exe Token: SeShutdownPrivilege 3356 svchost.exe Token: SeCreatePagefilePrivilege 3356 svchost.exe Token: SeShutdownPrivilege 3356 svchost.exe Token: SeCreatePagefilePrivilege 3356 svchost.exe Token: SeIncBasePriorityPrivilege 3216 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe Token: SeBackupPrivilege 3828 TiWorker.exe Token: SeRestorePrivilege 3828 TiWorker.exe Token: SeSecurityPrivilege 3828 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.execmd.exedescription pid process target process PID 3216 wrote to memory of 3468 3216 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe MediaCenter.exe PID 3216 wrote to memory of 3468 3216 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe MediaCenter.exe PID 3216 wrote to memory of 3468 3216 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe MediaCenter.exe PID 3216 wrote to memory of 4168 3216 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe cmd.exe PID 3216 wrote to memory of 4168 3216 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe cmd.exe PID 3216 wrote to memory of 4168 3216 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe cmd.exe PID 4168 wrote to memory of 1512 4168 cmd.exe PING.EXE PID 4168 wrote to memory of 1512 4168 cmd.exe PING.EXE PID 4168 wrote to memory of 1512 4168 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe"C:\Users\Admin\AppData\Local\Temp\0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f51800c36868a0a6e8cfcf8136663237
SHA1b2b0b330538b0cee3ec514727e3fad3d5bf54785
SHA256248df94640d6b016fc08fc91102cdd9c39d29939eb4a129a923920d6388597b8
SHA512d3e51193811996965c99dbcf1c6afd6b319c02cd381e22b602edb04f54888486fcdde2c11feb15dd4e99d45df053693490e29a00f8f996234dfe872aa38a59c8
-
MD5
f51800c36868a0a6e8cfcf8136663237
SHA1b2b0b330538b0cee3ec514727e3fad3d5bf54785
SHA256248df94640d6b016fc08fc91102cdd9c39d29939eb4a129a923920d6388597b8
SHA512d3e51193811996965c99dbcf1c6afd6b319c02cd381e22b602edb04f54888486fcdde2c11feb15dd4e99d45df053693490e29a00f8f996234dfe872aa38a59c8