Analysis
-
max time kernel
155s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:23
Static task
static1
Behavioral task
behavioral1
Sample
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe
Resource
win10v2004-en-20220113
General
-
Target
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe
-
Size
89KB
-
MD5
c6ea3448769a78a89c6f0e8f71e2854a
-
SHA1
6b81a822d860254321e49c848f2ee74986367b19
-
SHA256
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296
-
SHA512
41220650d6a1f04c57dd2683d4ac6c027e55ed3102cae7d1ee4daa405ebd70f1978687b88b49f2a9ac0e4823cf1763949c039d5db7ec84a5b9bcf68d3306d9c2
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2316-135-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral2/memory/1512-136-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1512 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1728 svchost.exe Token: SeCreatePagefilePrivilege 1728 svchost.exe Token: SeShutdownPrivilege 1728 svchost.exe Token: SeCreatePagefilePrivilege 1728 svchost.exe Token: SeShutdownPrivilege 1728 svchost.exe Token: SeCreatePagefilePrivilege 1728 svchost.exe Token: SeIncBasePriorityPrivilege 2316 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.execmd.exedescription pid process target process PID 2316 wrote to memory of 1512 2316 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe MediaCenter.exe PID 2316 wrote to memory of 1512 2316 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe MediaCenter.exe PID 2316 wrote to memory of 1512 2316 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe MediaCenter.exe PID 2316 wrote to memory of 636 2316 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe cmd.exe PID 2316 wrote to memory of 636 2316 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe cmd.exe PID 2316 wrote to memory of 636 2316 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe cmd.exe PID 636 wrote to memory of 1316 636 cmd.exe PING.EXE PID 636 wrote to memory of 1316 636 cmd.exe PING.EXE PID 636 wrote to memory of 1316 636 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe"C:\Users\Admin\AppData\Local\Temp\0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3d34a9071e06ff696a2144a92f1830a5
SHA13e0c71858472eb7a0b855705d0c2554da6294751
SHA2568fa6014e7f72dbe0a9b10cf10fa67a0625062b5ba717d9df1f6d50e2d13ab3a9
SHA5121f95fdced31931c159332a59f27af634125b3391a8b5d34370b74497c485a4d11fb4471fdeb78e9f39b49ca12a582c06266dbb2cdbda081c6bc54b39a590c3cd
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3d34a9071e06ff696a2144a92f1830a5
SHA13e0c71858472eb7a0b855705d0c2554da6294751
SHA2568fa6014e7f72dbe0a9b10cf10fa67a0625062b5ba717d9df1f6d50e2d13ab3a9
SHA5121f95fdced31931c159332a59f27af634125b3391a8b5d34370b74497c485a4d11fb4471fdeb78e9f39b49ca12a582c06266dbb2cdbda081c6bc54b39a590c3cd
-
memory/1512-136-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1728-132-0x000001CC5CF60000-0x000001CC5CF70000-memory.dmpFilesize
64KB
-
memory/1728-133-0x000001CC5D520000-0x000001CC5D530000-memory.dmpFilesize
64KB
-
memory/1728-134-0x000001CC5FBC0000-0x000001CC5FBC4000-memory.dmpFilesize
16KB
-
memory/2316-135-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB