Analysis
-
max time kernel
136s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:51
Static task
static1
Behavioral task
behavioral1
Sample
0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exe
Resource
win10v2004-en-20220113
General
-
Target
0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exe
-
Size
216KB
-
MD5
2685bdaa57134131434aa4c74cbeeb50
-
SHA1
99bc537aba805b7fa64c48bbc968671222e14c8d
-
SHA256
0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e
-
SHA512
6adee0a0688291b8008efe0065d43c405a4c3afa548f789de904911f321fc79dd025f817dc6ecd65ea7665a484f85d92d26cad14996be857c508c25665dd1e6e
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1400-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1512-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1512 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4832 svchost.exe Token: SeCreatePagefilePrivilege 4832 svchost.exe Token: SeShutdownPrivilege 4832 svchost.exe Token: SeCreatePagefilePrivilege 4832 svchost.exe Token: SeShutdownPrivilege 4832 svchost.exe Token: SeCreatePagefilePrivilege 4832 svchost.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe Token: SeRestorePrivilege 3216 TiWorker.exe Token: SeSecurityPrivilege 3216 TiWorker.exe Token: SeBackupPrivilege 3216 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.execmd.exedescription pid process target process PID 1400 wrote to memory of 1512 1400 0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exe MediaCenter.exe PID 1400 wrote to memory of 1512 1400 0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exe MediaCenter.exe PID 1400 wrote to memory of 1512 1400 0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exe MediaCenter.exe PID 1400 wrote to memory of 2744 1400 0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exe cmd.exe PID 1400 wrote to memory of 2744 1400 0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exe cmd.exe PID 1400 wrote to memory of 2744 1400 0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exe cmd.exe PID 2744 wrote to memory of 2396 2744 cmd.exe PING.EXE PID 2744 wrote to memory of 2396 2744 cmd.exe PING.EXE PID 2744 wrote to memory of 2396 2744 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exe"C:\Users\Admin\AppData\Local\Temp\0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c86ee36c9eeb493e69106d185f72195777f4f439bc6f2a57fa065a16cf6ed0e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3216
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
78aa6197e15eb0e186ca1de2243ba79a
SHA1190cbb1a42a9195818110748ffb717cbf265c896
SHA2568460f6633fc16d48df8e6808b8b28d6001555d83b773cf826f22c9c1953c849e
SHA51209250e2068bfd23a529f311bbc04d91a79fcb530783f155918f48d6e1ea4e4c191925fbcd296e45940e82e12bca6aff6f75f01baebb0b4d49104706bb7d89a5c
-
MD5
78aa6197e15eb0e186ca1de2243ba79a
SHA1190cbb1a42a9195818110748ffb717cbf265c896
SHA2568460f6633fc16d48df8e6808b8b28d6001555d83b773cf826f22c9c1953c849e
SHA51209250e2068bfd23a529f311bbc04d91a79fcb530783f155918f48d6e1ea4e4c191925fbcd296e45940e82e12bca6aff6f75f01baebb0b4d49104706bb7d89a5c