Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:13
Static task
static1
Behavioral task
behavioral1
Sample
0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe
Resource
win10v2004-en-20220113
General
-
Target
0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe
-
Size
220KB
-
MD5
dbf48b75484b567c004af5b665e01ec4
-
SHA1
ce22f25085a2eb3625bd242a8ee315f0504fba74
-
SHA256
0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5
-
SHA512
61af9e5c3235c37d381a1308ed5afdbbb5e9e998c90659d5c62cba07f588d7bf5d3ae0590aa5e862cf717357fb260b5d2fe64798978e79ce29565a55d23689fc
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3260-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/3628-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3628 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1288 svchost.exe Token: SeCreatePagefilePrivilege 1288 svchost.exe Token: SeShutdownPrivilege 1288 svchost.exe Token: SeCreatePagefilePrivilege 1288 svchost.exe Token: SeShutdownPrivilege 1288 svchost.exe Token: SeCreatePagefilePrivilege 1288 svchost.exe Token: SeIncBasePriorityPrivilege 3260 0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe Token: SeBackupPrivilege 1640 TiWorker.exe Token: SeRestorePrivilege 1640 TiWorker.exe Token: SeSecurityPrivilege 1640 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.execmd.exedescription pid process target process PID 3260 wrote to memory of 3628 3260 0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe MediaCenter.exe PID 3260 wrote to memory of 3628 3260 0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe MediaCenter.exe PID 3260 wrote to memory of 3628 3260 0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe MediaCenter.exe PID 3260 wrote to memory of 2084 3260 0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe cmd.exe PID 3260 wrote to memory of 2084 3260 0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe cmd.exe PID 3260 wrote to memory of 2084 3260 0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe cmd.exe PID 2084 wrote to memory of 3780 2084 cmd.exe PING.EXE PID 2084 wrote to memory of 3780 2084 cmd.exe PING.EXE PID 2084 wrote to memory of 3780 2084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe"C:\Users\Admin\AppData\Local\Temp\0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ab8d09c861d666853053bc370d0aa1ec446e2e47007d6ab0278255875a94dd5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fc15e82d84785b7fa373d9245858e8b8
SHA18b79961e7b367f625bb6d4b50f86715ae06bea42
SHA2564d28d8d78e1f4bf84781c8fdca7cccd9fa780a0bc9a7f2c47cd0ea4a811a9081
SHA5120fdb81169b80453aeed4d90309724329140087f4452341967e43398323e219db7b807f9f362604b81d3bb1fd4b3c60525397fafdc44b71eb8ceebeaf89dfcc4c
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fc15e82d84785b7fa373d9245858e8b8
SHA18b79961e7b367f625bb6d4b50f86715ae06bea42
SHA2564d28d8d78e1f4bf84781c8fdca7cccd9fa780a0bc9a7f2c47cd0ea4a811a9081
SHA5120fdb81169b80453aeed4d90309724329140087f4452341967e43398323e219db7b807f9f362604b81d3bb1fd4b3c60525397fafdc44b71eb8ceebeaf89dfcc4c
-
memory/1288-132-0x000001D75D9A0000-0x000001D75D9B0000-memory.dmpFilesize
64KB
-
memory/1288-133-0x000001D75E020000-0x000001D75E030000-memory.dmpFilesize
64KB
-
memory/1288-134-0x000001D760720000-0x000001D760724000-memory.dmpFilesize
16KB
-
memory/3260-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3628-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB