Analysis
-
max time kernel
158s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:36
Static task
static1
Behavioral task
behavioral1
Sample
098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exe
Resource
win10v2004-en-20220113
General
-
Target
098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exe
-
Size
150KB
-
MD5
9a537a8cbcf56a02d87d806f05bfa0cc
-
SHA1
7800b21364bc51debf4b476a0a173385a96026a7
-
SHA256
098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815
-
SHA512
e962d7081bdc713e05fe375cc4ffa9978b5955ae612896689f2970d7add69ef559957ed6497671e5779438cf32547b0f5b923c8d0749f03c9116b60a65b452d3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 368 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 5076 svchost.exe Token: SeCreatePagefilePrivilege 5076 svchost.exe Token: SeShutdownPrivilege 5076 svchost.exe Token: SeCreatePagefilePrivilege 5076 svchost.exe Token: SeShutdownPrivilege 5076 svchost.exe Token: SeCreatePagefilePrivilege 5076 svchost.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe Token: SeRestorePrivilege 524 TiWorker.exe Token: SeSecurityPrivilege 524 TiWorker.exe Token: SeBackupPrivilege 524 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.execmd.exedescription pid process target process PID 3600 wrote to memory of 368 3600 098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exe MediaCenter.exe PID 3600 wrote to memory of 368 3600 098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exe MediaCenter.exe PID 3600 wrote to memory of 368 3600 098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exe MediaCenter.exe PID 3600 wrote to memory of 1460 3600 098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exe cmd.exe PID 3600 wrote to memory of 1460 3600 098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exe cmd.exe PID 3600 wrote to memory of 1460 3600 098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exe cmd.exe PID 1460 wrote to memory of 2256 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 2256 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 2256 1460 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exe"C:\Users\Admin\AppData\Local\Temp\098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\098561539b7df5a907949dd164a91f65a0e28f2427d7adc3abf8bc33a6a3f815.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2256
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a2233f3601d57823593719709d532ccb
SHA1a15ea990133019d9471df4d13facf113caf6b0a5
SHA2564a2f133de3a7d317ffa8f1f519715da82fe4d7835b91312cdfd2dae0431863ab
SHA5128997d00fe5daf0e53f453d8ffe2595a3654c821f1833c0da8abf2140cd5f30e4d8f4c834945cab31e09e4b4ab7970706ab42038f8a48b4e9962d8ebfd17d8ee0
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a2233f3601d57823593719709d532ccb
SHA1a15ea990133019d9471df4d13facf113caf6b0a5
SHA2564a2f133de3a7d317ffa8f1f519715da82fe4d7835b91312cdfd2dae0431863ab
SHA5128997d00fe5daf0e53f453d8ffe2595a3654c821f1833c0da8abf2140cd5f30e4d8f4c834945cab31e09e4b4ab7970706ab42038f8a48b4e9962d8ebfd17d8ee0
-
memory/5076-132-0x00000186FF730000-0x00000186FF740000-memory.dmpFilesize
64KB
-
memory/5076-133-0x00000186FF790000-0x00000186FF7A0000-memory.dmpFilesize
64KB
-
memory/5076-134-0x0000018682480000-0x0000018682484000-memory.dmpFilesize
16KB