Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:47
Static task
static1
Behavioral task
behavioral1
Sample
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe
Resource
win10v2004-en-20220113
General
-
Target
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe
-
Size
200KB
-
MD5
bfbe4b2ec56db581d1e48ab3572143f9
-
SHA1
6fdfa0c845252ad6aa802579c22de6a4f591fd72
-
SHA256
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632
-
SHA512
4a5669bd2f9537b33a79480304813978cd3fffbbf7a27d3399248d3c257b1bf869101bd09eff2763c6b5a6a54e68f266a8af4fa150a98f721d190af24fc11af4
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3568-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4260-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4260 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2120 svchost.exe Token: SeCreatePagefilePrivilege 2120 svchost.exe Token: SeShutdownPrivilege 2120 svchost.exe Token: SeCreatePagefilePrivilege 2120 svchost.exe Token: SeShutdownPrivilege 2120 svchost.exe Token: SeCreatePagefilePrivilege 2120 svchost.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe Token: SeRestorePrivilege 4628 TiWorker.exe Token: SeSecurityPrivilege 4628 TiWorker.exe Token: SeBackupPrivilege 4628 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.execmd.exedescription pid process target process PID 3568 wrote to memory of 4260 3568 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe MediaCenter.exe PID 3568 wrote to memory of 4260 3568 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe MediaCenter.exe PID 3568 wrote to memory of 4260 3568 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe MediaCenter.exe PID 3568 wrote to memory of 2512 3568 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe cmd.exe PID 3568 wrote to memory of 2512 3568 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe cmd.exe PID 3568 wrote to memory of 2512 3568 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe cmd.exe PID 2512 wrote to memory of 2164 2512 cmd.exe PING.EXE PID 2512 wrote to memory of 2164 2512 cmd.exe PING.EXE PID 2512 wrote to memory of 2164 2512 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe"C:\Users\Admin\AppData\Local\Temp\0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a92a8a89e63dc97aed4a53c5bc07c328
SHA1dfb2b265817614920ce838a5f469926c259fd913
SHA25620ec8294e8766d36630c469f4315a6c03924f6dd57a237fb4ec5bdec0de836a1
SHA5121d655492a5135c2af45fef83f89a8dbef528735fc97391785b8a1645c0e8c79572be69322d38632cceed36e2ac162c53dda126c611ebd5bbc427f441f7a74211
-
MD5
a92a8a89e63dc97aed4a53c5bc07c328
SHA1dfb2b265817614920ce838a5f469926c259fd913
SHA25620ec8294e8766d36630c469f4315a6c03924f6dd57a237fb4ec5bdec0de836a1
SHA5121d655492a5135c2af45fef83f89a8dbef528735fc97391785b8a1645c0e8c79572be69322d38632cceed36e2ac162c53dda126c611ebd5bbc427f441f7a74211