Analysis
-
max time kernel
172s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:59
Behavioral task
behavioral1
Sample
059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe
Resource
win7-en-20211208
General
-
Target
059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe
-
Size
216KB
-
MD5
e78b7322cd18724a50ab5b8a2ddd0886
-
SHA1
43447243c511235028d38285b65d3c7e02e740b9
-
SHA256
059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949
-
SHA512
abdb2dba403e2154800f18f9448e62e285ee509bcfca591c167fd663f7f40848981a34c97e335b81a4937af5e3fb4485a4f82aa33ea5a808ff2bddd63191131f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2916 MediaCenter.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2340 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe Token: SeShutdownPrivilege 3788 svchost.exe Token: SeCreatePagefilePrivilege 3788 svchost.exe Token: SeShutdownPrivilege 3788 svchost.exe Token: SeCreatePagefilePrivilege 3788 svchost.exe Token: SeShutdownPrivilege 3788 svchost.exe Token: SeCreatePagefilePrivilege 3788 svchost.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe Token: SeBackupPrivilege 2276 TiWorker.exe Token: SeRestorePrivilege 2276 TiWorker.exe Token: SeSecurityPrivilege 2276 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.execmd.exedescription pid process target process PID 2340 wrote to memory of 2916 2340 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe MediaCenter.exe PID 2340 wrote to memory of 2916 2340 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe MediaCenter.exe PID 2340 wrote to memory of 2916 2340 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe MediaCenter.exe PID 2340 wrote to memory of 2656 2340 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe cmd.exe PID 2340 wrote to memory of 2656 2340 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe cmd.exe PID 2340 wrote to memory of 2656 2340 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe cmd.exe PID 2656 wrote to memory of 1344 2656 cmd.exe PING.EXE PID 2656 wrote to memory of 1344 2656 cmd.exe PING.EXE PID 2656 wrote to memory of 1344 2656 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe"C:\Users\Admin\AppData\Local\Temp\059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3788
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2276
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2a94b74dfdcf08913e0e6dbcb2178a9a
SHA18606838dce0ed3fc2ef07dc6c5507e2ad4161802
SHA2563e477cd546eac615a6c6caf5ae4abab5f60700e028102a63ec3f5b7d38541c27
SHA51251b5415446b795de0ce8f9b6cb76699e296d4b1562bde3575d40372165e58800105af62760b985457ace83039ff3c29df88dc8f4faad8eef724dde0f1dfc269e
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2a94b74dfdcf08913e0e6dbcb2178a9a
SHA18606838dce0ed3fc2ef07dc6c5507e2ad4161802
SHA2563e477cd546eac615a6c6caf5ae4abab5f60700e028102a63ec3f5b7d38541c27
SHA51251b5415446b795de0ce8f9b6cb76699e296d4b1562bde3575d40372165e58800105af62760b985457ace83039ff3c29df88dc8f4faad8eef724dde0f1dfc269e
-
memory/3788-132-0x00000146B4590000-0x00000146B45A0000-memory.dmpFilesize
64KB
-
memory/3788-133-0x00000146B4B20000-0x00000146B4B30000-memory.dmpFilesize
64KB
-
memory/3788-134-0x00000146B7210000-0x00000146B7214000-memory.dmpFilesize
16KB