Analysis
-
max time kernel
147s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:24
Static task
static1
Behavioral task
behavioral1
Sample
0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe
Resource
win10v2004-en-20220113
General
-
Target
0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe
-
Size
121KB
-
MD5
d5f6b719a4b477aa14f1e6f47eff9296
-
SHA1
da660f60832c1ee184f347ebdbd6f5a7ec7be6d9
-
SHA256
0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe
-
SHA512
ef33a299dad1983b066c046aebbde6761eb9d7c8449176198069a4b2da6e472afb3048cb28d57fe2f79113cc466092591785b70dafef599af1a28529f0ac51ad
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3132-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/3388-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3388 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exedescription pid process Token: SeShutdownPrivilege 540 svchost.exe Token: SeCreatePagefilePrivilege 540 svchost.exe Token: SeShutdownPrivilege 540 svchost.exe Token: SeCreatePagefilePrivilege 540 svchost.exe Token: SeShutdownPrivilege 540 svchost.exe Token: SeCreatePagefilePrivilege 540 svchost.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeIncBasePriorityPrivilege 3132 0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe Token: SeBackupPrivilege 3168 TiWorker.exe Token: SeRestorePrivilege 3168 TiWorker.exe Token: SeSecurityPrivilege 3168 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.execmd.exedescription pid process target process PID 3132 wrote to memory of 3388 3132 0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe MediaCenter.exe PID 3132 wrote to memory of 3388 3132 0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe MediaCenter.exe PID 3132 wrote to memory of 3388 3132 0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe MediaCenter.exe PID 3132 wrote to memory of 4396 3132 0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe cmd.exe PID 3132 wrote to memory of 4396 3132 0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe cmd.exe PID 3132 wrote to memory of 4396 3132 0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe cmd.exe PID 4396 wrote to memory of 456 4396 cmd.exe PING.EXE PID 4396 wrote to memory of 456 4396 cmd.exe PING.EXE PID 4396 wrote to memory of 456 4396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe"C:\Users\Admin\AppData\Local\Temp\0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b1fffc3a63524c3d719cb2b528ea51ab692ac2c4a3349503e8a176457ffedfe.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:540
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
99f46e8795c4315fe9f5da8aa6118017
SHA159a0f127dd4481cacd2214b6125aab636766f6e9
SHA2562ce62bb902312c01526656005960dd26813b775942137d490162e31efa9223e2
SHA5124b0d0e7524a5fb20046cabd0f8fb868124142807211e652773437408b5f5c5a6b3679e85535f9720d87990202d237bf46c68181142ff12b1c5022b8012635e0f
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
99f46e8795c4315fe9f5da8aa6118017
SHA159a0f127dd4481cacd2214b6125aab636766f6e9
SHA2562ce62bb902312c01526656005960dd26813b775942137d490162e31efa9223e2
SHA5124b0d0e7524a5fb20046cabd0f8fb868124142807211e652773437408b5f5c5a6b3679e85535f9720d87990202d237bf46c68181142ff12b1c5022b8012635e0f
-
memory/540-132-0x0000027E86160000-0x0000027E86170000-memory.dmpFilesize
64KB
-
memory/540-133-0x0000027E86720000-0x0000027E86730000-memory.dmpFilesize
64KB
-
memory/540-134-0x0000027E88DB0000-0x0000027E88DB4000-memory.dmpFilesize
16KB
-
memory/3132-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3388-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB