Analysis
-
max time kernel
153s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:51
Static task
static1
Behavioral task
behavioral1
Sample
08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe
Resource
win10v2004-en-20220113
General
-
Target
08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe
-
Size
150KB
-
MD5
76c0d8a803c3a9467ee16ac6c76bce29
-
SHA1
4f9e21a7f32d932e1652a28f1e0a0cfd3c63fac5
-
SHA256
08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b
-
SHA512
835ba22ce293d703881b15cf4c0323837991ef75d02253ea629950676460861b7d04da40df7fbdf2a1d87cab8b6467b4baac1b555788019fa5afe9552331cd7b
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 5060 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3116 svchost.exe Token: SeCreatePagefilePrivilege 3116 svchost.exe Token: SeShutdownPrivilege 3116 svchost.exe Token: SeCreatePagefilePrivilege 3116 svchost.exe Token: SeShutdownPrivilege 3116 svchost.exe Token: SeCreatePagefilePrivilege 3116 svchost.exe Token: SeIncBasePriorityPrivilege 4564 08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe Token: SeBackupPrivilege 1536 TiWorker.exe Token: SeRestorePrivilege 1536 TiWorker.exe Token: SeSecurityPrivilege 1536 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.execmd.exedescription pid process target process PID 4564 wrote to memory of 5060 4564 08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe MediaCenter.exe PID 4564 wrote to memory of 5060 4564 08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe MediaCenter.exe PID 4564 wrote to memory of 5060 4564 08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe MediaCenter.exe PID 4564 wrote to memory of 620 4564 08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe cmd.exe PID 4564 wrote to memory of 620 4564 08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe cmd.exe PID 4564 wrote to memory of 620 4564 08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe cmd.exe PID 620 wrote to memory of 1800 620 cmd.exe PING.EXE PID 620 wrote to memory of 1800 620 cmd.exe PING.EXE PID 620 wrote to memory of 1800 620 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe"C:\Users\Admin\AppData\Local\Temp\08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08d65de9d63a19f63c8141a7fbcd0ab605a1562e9f79a0df48c5f5f4b0ea048b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
487a88b476ba5adfc6b542367ad22675
SHA104e7a43abc6e75afcd2f425c9200171ec84174cf
SHA2568d30a22baa9bc6f75139be171c759d794dd1c538f870909930207df114706f57
SHA5126a2a915f52de80951b31e557067137ccf6ad1e01ad19abce156f17b6d0cfa59111fdea3b9c8d6a600b551489b79482faaf8de778114efe838bbad0ce87dfbf6d
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
487a88b476ba5adfc6b542367ad22675
SHA104e7a43abc6e75afcd2f425c9200171ec84174cf
SHA2568d30a22baa9bc6f75139be171c759d794dd1c538f870909930207df114706f57
SHA5126a2a915f52de80951b31e557067137ccf6ad1e01ad19abce156f17b6d0cfa59111fdea3b9c8d6a600b551489b79482faaf8de778114efe838bbad0ce87dfbf6d
-
memory/3116-132-0x0000023935B30000-0x0000023935B40000-memory.dmpFilesize
64KB
-
memory/3116-133-0x0000023935B90000-0x0000023935BA0000-memory.dmpFilesize
64KB
-
memory/3116-134-0x0000023938890000-0x0000023938894000-memory.dmpFilesize
16KB