Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:24
Static task
static1
Behavioral task
behavioral1
Sample
0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe
Resource
win10v2004-en-20220113
General
-
Target
0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe
-
Size
176KB
-
MD5
23d0328e41f464e498749d6fe24c44e5
-
SHA1
a2b7340d9c9b4196b123a278a8de963ba80835a4
-
SHA256
0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e
-
SHA512
6375a389e0dd16f040ccd2670f29a64a315b0cc4cfb1dc21a1dffa4d4e9d79ade1429f4c7ad077d119e04798af4c1b10ef2949c6b4a0ed3c6b27f5b11ed2d9ce
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/760-138-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/3400-139-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3400 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exedescription pid process Token: SeShutdownPrivilege 2912 svchost.exe Token: SeCreatePagefilePrivilege 2912 svchost.exe Token: SeShutdownPrivilege 2912 svchost.exe Token: SeCreatePagefilePrivilege 2912 svchost.exe Token: SeShutdownPrivilege 2912 svchost.exe Token: SeCreatePagefilePrivilege 2912 svchost.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeIncBasePriorityPrivilege 760 0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.execmd.exedescription pid process target process PID 760 wrote to memory of 3400 760 0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe MediaCenter.exe PID 760 wrote to memory of 3400 760 0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe MediaCenter.exe PID 760 wrote to memory of 3400 760 0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe MediaCenter.exe PID 760 wrote to memory of 3720 760 0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe cmd.exe PID 760 wrote to memory of 3720 760 0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe cmd.exe PID 760 wrote to memory of 3720 760 0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe cmd.exe PID 3720 wrote to memory of 3804 3720 cmd.exe PING.EXE PID 3720 wrote to memory of 3804 3720 cmd.exe PING.EXE PID 3720 wrote to memory of 3804 3720 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe"C:\Users\Admin\AppData\Local\Temp\0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b27a1b2bbb21aa81d1edc2eb30c654c192a0bdc785720f44f91ad2eba5ed92e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2264
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d7ac037cbb640eebaaa0fefe1a275735
SHA11690ed28be8082feb25ff3d7dd2d0930b6fa30ab
SHA256c9b0711e56ac25713d9b345864971f80721934a178186bc93af9cf18dc9c0798
SHA512fb02baeb5357ee34ccb120a2db06eac5b135978b92ee685dc06cc422b3dba460c663e1a4655351802c5674fddfd52b0bcb869c0e55b32deb87a1fad3a2a0794b
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d7ac037cbb640eebaaa0fefe1a275735
SHA11690ed28be8082feb25ff3d7dd2d0930b6fa30ab
SHA256c9b0711e56ac25713d9b345864971f80721934a178186bc93af9cf18dc9c0798
SHA512fb02baeb5357ee34ccb120a2db06eac5b135978b92ee685dc06cc422b3dba460c663e1a4655351802c5674fddfd52b0bcb869c0e55b32deb87a1fad3a2a0794b
-
memory/760-138-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2912-135-0x0000026946330000-0x0000026946340000-memory.dmpFilesize
64KB
-
memory/2912-136-0x0000026946390000-0x00000269463A0000-memory.dmpFilesize
64KB
-
memory/2912-137-0x0000026949070000-0x0000026949074000-memory.dmpFilesize
16KB
-
memory/3400-139-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB