Analysis
-
max time kernel
138s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:14
Static task
static1
Behavioral task
behavioral1
Sample
0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe
Resource
win10v2004-en-20220113
General
-
Target
0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe
-
Size
216KB
-
MD5
78bcbd824ac1c2fa6e98c9b30a1a2d57
-
SHA1
3abf919575f650c393c78de93b4c6bd1b7098c21
-
SHA256
0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c
-
SHA512
92860e216d952ba551f9dba8ecd7db92bd025434b69fb9efe9e7645e1eb44f49587173dadf27375694e21084221e552ce9ec233c25df5d21a7717881aab0ac42
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2096-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4520-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4520 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3492 svchost.exe Token: SeCreatePagefilePrivilege 3492 svchost.exe Token: SeShutdownPrivilege 3492 svchost.exe Token: SeCreatePagefilePrivilege 3492 svchost.exe Token: SeShutdownPrivilege 3492 svchost.exe Token: SeCreatePagefilePrivilege 3492 svchost.exe Token: SeIncBasePriorityPrivilege 2096 0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe Token: SeBackupPrivilege 616 TiWorker.exe Token: SeRestorePrivilege 616 TiWorker.exe Token: SeSecurityPrivilege 616 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.execmd.exedescription pid process target process PID 2096 wrote to memory of 4520 2096 0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe MediaCenter.exe PID 2096 wrote to memory of 4520 2096 0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe MediaCenter.exe PID 2096 wrote to memory of 4520 2096 0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe MediaCenter.exe PID 2096 wrote to memory of 2260 2096 0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe cmd.exe PID 2096 wrote to memory of 2260 2096 0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe cmd.exe PID 2096 wrote to memory of 2260 2096 0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe cmd.exe PID 2260 wrote to memory of 3536 2260 cmd.exe PING.EXE PID 2260 wrote to memory of 3536 2260 cmd.exe PING.EXE PID 2260 wrote to memory of 3536 2260 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe"C:\Users\Admin\AppData\Local\Temp\0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0aa884ddaf7e200c7bef43588a10b5cd94776c8e9150951c145e0637268db28c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
59ed4e5347fbf8471bd4195eb821c9a4
SHA1c724e878e0be314b11186d200651448bec18b712
SHA25693b4830916aaa2080108abca85eafad356a78e983238194bbf41b97c203372fb
SHA512e1a4688ac3e3ce900529ae1e3464c16e1a0064d0aba48c05a2f980c5686426666b8a50c1cdbd3a8a6682751269f59d072b46185029464baf6078edac52e97027
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
59ed4e5347fbf8471bd4195eb821c9a4
SHA1c724e878e0be314b11186d200651448bec18b712
SHA25693b4830916aaa2080108abca85eafad356a78e983238194bbf41b97c203372fb
SHA512e1a4688ac3e3ce900529ae1e3464c16e1a0064d0aba48c05a2f980c5686426666b8a50c1cdbd3a8a6682751269f59d072b46185029464baf6078edac52e97027
-
memory/2096-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3492-132-0x000001AB16530000-0x000001AB16540000-memory.dmpFilesize
64KB
-
memory/3492-133-0x000001AB16590000-0x000001AB165A0000-memory.dmpFilesize
64KB
-
memory/3492-134-0x000001AB19270000-0x000001AB19274000-memory.dmpFilesize
16KB
-
memory/4520-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB