Analysis
-
max time kernel
140s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:46
Behavioral task
behavioral1
Sample
0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe
Resource
win7-en-20211208
General
-
Target
0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe
-
Size
212KB
-
MD5
4f555d008896698e15f7d99963c63382
-
SHA1
397fd99d2fb6f0159e84ca394526dd1ff2e1d4c4
-
SHA256
0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1
-
SHA512
879319ea6a5ee001b8404b004d3494f33a9621dc5d24b1f2c41e000657205695b643dc528201fcfade2d5773f7d964edcb492177317ea8fe13a936c0da6a8a4e
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2696 MediaCenter.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4816 svchost.exe Token: SeCreatePagefilePrivilege 4816 svchost.exe Token: SeShutdownPrivilege 4816 svchost.exe Token: SeCreatePagefilePrivilege 4816 svchost.exe Token: SeShutdownPrivilege 4816 svchost.exe Token: SeCreatePagefilePrivilege 4816 svchost.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.execmd.exedescription pid process target process PID 2136 wrote to memory of 2696 2136 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe MediaCenter.exe PID 2136 wrote to memory of 2696 2136 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe MediaCenter.exe PID 2136 wrote to memory of 2696 2136 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe MediaCenter.exe PID 2136 wrote to memory of 8 2136 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe cmd.exe PID 2136 wrote to memory of 8 2136 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe cmd.exe PID 2136 wrote to memory of 8 2136 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe cmd.exe PID 8 wrote to memory of 3076 8 cmd.exe PING.EXE PID 8 wrote to memory of 3076 8 cmd.exe PING.EXE PID 8 wrote to memory of 3076 8 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe"C:\Users\Admin\AppData\Local\Temp\0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cfddc5b1c3653b87aac62f5d1f89cd96
SHA1a386f260ce33e0957d1ac7f9834d0ce16f9a2051
SHA256609421b3910a5523e10dd2cd11ca85ea70eb820328baefc7c19bc2634a8629c6
SHA51242d6bf836a936d140f4947a1096d6acd08a6b6cc12c79eb6cdf7a999e30e369fca2e7d74b1d0044da8a1e24f7d211ff8139a1ed42d93e138f539f22defdeea70
-
MD5
cfddc5b1c3653b87aac62f5d1f89cd96
SHA1a386f260ce33e0957d1ac7f9834d0ce16f9a2051
SHA256609421b3910a5523e10dd2cd11ca85ea70eb820328baefc7c19bc2634a8629c6
SHA51242d6bf836a936d140f4947a1096d6acd08a6b6cc12c79eb6cdf7a999e30e369fca2e7d74b1d0044da8a1e24f7d211ff8139a1ed42d93e138f539f22defdeea70