Analysis
-
max time kernel
148s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:09
Static task
static1
Behavioral task
behavioral1
Sample
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe
Resource
win10v2004-en-20220113
General
-
Target
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe
-
Size
92KB
-
MD5
041751e064912a021e025e141e1ce1bd
-
SHA1
738a27708d6e6231980c73f61ac841b8d57fb438
-
SHA256
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c
-
SHA512
2293e7516e2602e4a3a9da3adf4e86f3e74371fd06e0ee5796f041519859cd4f3bd0f16052914e433815da751dd97ebab6724596b240a3d24090aa77f9cccb0c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1512 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4744 svchost.exe Token: SeCreatePagefilePrivilege 4744 svchost.exe Token: SeShutdownPrivilege 4744 svchost.exe Token: SeCreatePagefilePrivilege 4744 svchost.exe Token: SeShutdownPrivilege 4744 svchost.exe Token: SeCreatePagefilePrivilege 4744 svchost.exe Token: SeIncBasePriorityPrivilege 4128 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.execmd.exedescription pid process target process PID 4128 wrote to memory of 1512 4128 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe MediaCenter.exe PID 4128 wrote to memory of 1512 4128 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe MediaCenter.exe PID 4128 wrote to memory of 1512 4128 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe MediaCenter.exe PID 4128 wrote to memory of 2264 4128 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe cmd.exe PID 4128 wrote to memory of 2264 4128 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe cmd.exe PID 4128 wrote to memory of 2264 4128 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe cmd.exe PID 2264 wrote to memory of 5072 2264 cmd.exe PING.EXE PID 2264 wrote to memory of 5072 2264 cmd.exe PING.EXE PID 2264 wrote to memory of 5072 2264 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe"C:\Users\Admin\AppData\Local\Temp\07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4264
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e6680cb3cbd7b182f4286943132f9837
SHA187c0e75a303dd529dfdf89209538b64fbeaeb86e
SHA256be96f858bf6b3b00d81365791bd8a15167f399801dc93121100c1cc4da50d4c2
SHA512436d09f203719a065daec9a313ee5c66af88f2553f6dffc0bf8e886b2b7e015fe32635fdd217c4ee135fa07029afc613d28e1c0552c959536e4856cebfab11ce
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e6680cb3cbd7b182f4286943132f9837
SHA187c0e75a303dd529dfdf89209538b64fbeaeb86e
SHA256be96f858bf6b3b00d81365791bd8a15167f399801dc93121100c1cc4da50d4c2
SHA512436d09f203719a065daec9a313ee5c66af88f2553f6dffc0bf8e886b2b7e015fe32635fdd217c4ee135fa07029afc613d28e1c0552c959536e4856cebfab11ce
-
memory/4744-132-0x00000222D7720000-0x00000222D7730000-memory.dmpFilesize
64KB
-
memory/4744-133-0x00000222D7940000-0x00000222D7950000-memory.dmpFilesize
64KB
-
memory/4744-134-0x00000222D9E50000-0x00000222D9E54000-memory.dmpFilesize
16KB