Analysis
-
max time kernel
147s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:42
Static task
static1
Behavioral task
behavioral1
Sample
0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe
Resource
win10v2004-en-20220113
General
-
Target
0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe
-
Size
216KB
-
MD5
946b034115a3297d1f8dedc6b00c579d
-
SHA1
de98cb1754a96506248762a75551d91dcbb1115a
-
SHA256
0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984
-
SHA512
937f0b465742127099a122a82acae8a27116a56bc7f8184dae8cc9fc6c164165f61b3909eb3a8456b9aa0a5890a65498aa5e661372557797538cae3aa0c14e88
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3228-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4732-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4732 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4128 svchost.exe Token: SeCreatePagefilePrivilege 4128 svchost.exe Token: SeShutdownPrivilege 4128 svchost.exe Token: SeCreatePagefilePrivilege 4128 svchost.exe Token: SeShutdownPrivilege 4128 svchost.exe Token: SeCreatePagefilePrivilege 4128 svchost.exe Token: SeIncBasePriorityPrivilege 3228 0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe Token: SeBackupPrivilege 4192 TiWorker.exe Token: SeRestorePrivilege 4192 TiWorker.exe Token: SeSecurityPrivilege 4192 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.execmd.exedescription pid process target process PID 3228 wrote to memory of 4732 3228 0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe MediaCenter.exe PID 3228 wrote to memory of 4732 3228 0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe MediaCenter.exe PID 3228 wrote to memory of 4732 3228 0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe MediaCenter.exe PID 3228 wrote to memory of 2616 3228 0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe cmd.exe PID 3228 wrote to memory of 2616 3228 0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe cmd.exe PID 3228 wrote to memory of 2616 3228 0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe cmd.exe PID 2616 wrote to memory of 3180 2616 cmd.exe PING.EXE PID 2616 wrote to memory of 3180 2616 cmd.exe PING.EXE PID 2616 wrote to memory of 3180 2616 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe"C:\Users\Admin\AppData\Local\Temp\0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cdba04239b7887f775a8d7476f609ed1ee1cbb0e53b60f8a8f5225a15d17984.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0d5bdeed92ac99effceac460b754e38e
SHA13b683e1ecc9d0162b190b4a30503cb7efb28b907
SHA256822204eeeaf1d6d0e5cf48a2e15626a43492045482d2e8b6314cd57646a0ae0b
SHA51278c32b550077a59d7f35a8aee9fd0ab6db54a7678dda0de79fdefbe8ebe1b4864642be2effef69b7b2693e7f913adff9a9321ff3ddf6be147271f5dcb18665dd
-
MD5
0d5bdeed92ac99effceac460b754e38e
SHA13b683e1ecc9d0162b190b4a30503cb7efb28b907
SHA256822204eeeaf1d6d0e5cf48a2e15626a43492045482d2e8b6314cd57646a0ae0b
SHA51278c32b550077a59d7f35a8aee9fd0ab6db54a7678dda0de79fdefbe8ebe1b4864642be2effef69b7b2693e7f913adff9a9321ff3ddf6be147271f5dcb18665dd