Analysis
-
max time kernel
135s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:51
Static task
static1
Behavioral task
behavioral1
Sample
0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe
Resource
win10v2004-en-20220113
General
-
Target
0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe
-
Size
89KB
-
MD5
71760d1f83b33dd1a29cd02998adb40b
-
SHA1
5c6b0b4a142e6a5262ab7609ba6f91ae377c6df5
-
SHA256
0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3
-
SHA512
a8b6b95b49e78a7056ccd41e230a7a7c4462a0fe8ebe1a64b765cf7a39c437f171f1a70d0f8f49e811f5001bb3ab371192daed3f45f5b26c32c8008839102c71
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4696 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 316 svchost.exe Token: SeCreatePagefilePrivilege 316 svchost.exe Token: SeShutdownPrivilege 316 svchost.exe Token: SeCreatePagefilePrivilege 316 svchost.exe Token: SeShutdownPrivilege 316 svchost.exe Token: SeCreatePagefilePrivilege 316 svchost.exe Token: SeIncBasePriorityPrivilege 3920 0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.execmd.exedescription pid process target process PID 3920 wrote to memory of 4696 3920 0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe MediaCenter.exe PID 3920 wrote to memory of 4696 3920 0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe MediaCenter.exe PID 3920 wrote to memory of 4696 3920 0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe MediaCenter.exe PID 3920 wrote to memory of 2000 3920 0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe cmd.exe PID 3920 wrote to memory of 2000 3920 0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe cmd.exe PID 3920 wrote to memory of 2000 3920 0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe cmd.exe PID 2000 wrote to memory of 2804 2000 cmd.exe PING.EXE PID 2000 wrote to memory of 2804 2000 cmd.exe PING.EXE PID 2000 wrote to memory of 2804 2000 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe"C:\Users\Admin\AppData\Local\Temp\0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c8345323dfe305c0a71dab3e1ccddc71fa33958fd06871e33414b57a74219b3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:316
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3488
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6023bc4217d17fc0ea0ad6ac2b01b41d
SHA13875b538b9c3710c38f1078ea9a967ca4adae0fe
SHA256aa0d262d91eb3f4fe41b93306458afd8b1ca5f10a83f36a71339855c3bfd4756
SHA5122ba59b59ee0f55b798ff470f71d2b868a8375ceb618e51b57a5c56f0975774e813aa13e8279ba5fb2880f0eccf6032f775c065729189608d0a85284917477e24
-
MD5
6023bc4217d17fc0ea0ad6ac2b01b41d
SHA13875b538b9c3710c38f1078ea9a967ca4adae0fe
SHA256aa0d262d91eb3f4fe41b93306458afd8b1ca5f10a83f36a71339855c3bfd4756
SHA5122ba59b59ee0f55b798ff470f71d2b868a8375ceb618e51b57a5c56f0975774e813aa13e8279ba5fb2880f0eccf6032f775c065729189608d0a85284917477e24