Analysis
-
max time kernel
144s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:00
Static task
static1
Behavioral task
behavioral1
Sample
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe
Resource
win10v2004-en-20220113
General
-
Target
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe
-
Size
92KB
-
MD5
6b127101c948ed99ccbeb9110397bc07
-
SHA1
af43d12c13f6942f67f6dc01f253429c3afc17d4
-
SHA256
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2
-
SHA512
d958f3bdd50b4a25e27e68a2506b493667b6e7b55a13c1c2af73d12d43a33f2b3f8133bc33e2b83284506da661339b761fa1023a3c808082023f5f8e70616236
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4392 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4800 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe Token: SeShutdownPrivilege 3788 svchost.exe Token: SeCreatePagefilePrivilege 3788 svchost.exe Token: SeShutdownPrivilege 3788 svchost.exe Token: SeCreatePagefilePrivilege 3788 svchost.exe Token: SeShutdownPrivilege 3788 svchost.exe Token: SeCreatePagefilePrivilege 3788 svchost.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe Token: SeBackupPrivilege 2628 TiWorker.exe Token: SeRestorePrivilege 2628 TiWorker.exe Token: SeSecurityPrivilege 2628 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.execmd.exedescription pid process target process PID 4800 wrote to memory of 4392 4800 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe MediaCenter.exe PID 4800 wrote to memory of 4392 4800 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe MediaCenter.exe PID 4800 wrote to memory of 4392 4800 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe MediaCenter.exe PID 4800 wrote to memory of 3468 4800 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe cmd.exe PID 4800 wrote to memory of 3468 4800 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe cmd.exe PID 4800 wrote to memory of 3468 4800 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe cmd.exe PID 3468 wrote to memory of 3112 3468 cmd.exe PING.EXE PID 3468 wrote to memory of 3112 3468 cmd.exe PING.EXE PID 3468 wrote to memory of 3112 3468 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe"C:\Users\Admin\AppData\Local\Temp\0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3788
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
118afc049ea39ec65c6a1b511e679711
SHA1493556a4e8f8461e593bf2c8521046e2507a609c
SHA256c22feba390ffef2cf51405bdce86bb0f12203eea7f8b1c43f992f355e382ec2a
SHA5120ee68dac29b08670911070d68578b5110a86192893afd2a8204925d3764c4e33782d025b4aefcd607866b1b72b6e369f8627e8e40994341e978a3aee429f3fbd
-
MD5
118afc049ea39ec65c6a1b511e679711
SHA1493556a4e8f8461e593bf2c8521046e2507a609c
SHA256c22feba390ffef2cf51405bdce86bb0f12203eea7f8b1c43f992f355e382ec2a
SHA5120ee68dac29b08670911070d68578b5110a86192893afd2a8204925d3764c4e33782d025b4aefcd607866b1b72b6e369f8627e8e40994341e978a3aee429f3fbd