Analysis
-
max time kernel
157s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:02
Static task
static1
Behavioral task
behavioral1
Sample
0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe
Resource
win10v2004-en-20220113
General
-
Target
0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe
-
Size
216KB
-
MD5
ab82e84388b0519bfcf3d8e0131800f5
-
SHA1
adbe818edfd7c68f20dbc1ff153e8e405feb2c8f
-
SHA256
0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1
-
SHA512
44f9d9b66cb3e8e92c8d155decafe587469028daef3e9df0ae4a91f64a05ca46ddfcefee29a4f24f337308269717c14ad7ad4af28163d8edc9c187a2e3c6abdd
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3924-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4848-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4848 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3924 0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe Token: SeShutdownPrivilege 4276 svchost.exe Token: SeCreatePagefilePrivilege 4276 svchost.exe Token: SeShutdownPrivilege 4276 svchost.exe Token: SeCreatePagefilePrivilege 4276 svchost.exe Token: SeShutdownPrivilege 4276 svchost.exe Token: SeCreatePagefilePrivilege 4276 svchost.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.execmd.exedescription pid process target process PID 3924 wrote to memory of 4848 3924 0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe MediaCenter.exe PID 3924 wrote to memory of 4848 3924 0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe MediaCenter.exe PID 3924 wrote to memory of 4848 3924 0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe MediaCenter.exe PID 3924 wrote to memory of 3216 3924 0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe cmd.exe PID 3924 wrote to memory of 3216 3924 0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe cmd.exe PID 3924 wrote to memory of 3216 3924 0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe cmd.exe PID 3216 wrote to memory of 4996 3216 cmd.exe PING.EXE PID 3216 wrote to memory of 4996 3216 cmd.exe PING.EXE PID 3216 wrote to memory of 4996 3216 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe"C:\Users\Admin\AppData\Local\Temp\0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0a6abe8e23574921adc1275fe796a02f
SHA1c1e220e02e92b02306db6e1b6a69c8f91937dbeb
SHA256ae7f93e3785bce8bae8a607a357af9d9ad8bda4ba17675c2a41f8bdb23eff78a
SHA512b9c49c846bfec728af5f9b92a5e2d472203999ccecc8725db37aed4f0d8299fa5c693ffd8b4158be01b1c2c98530796b0523f3b7193b356a639db9501f472202
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0a6abe8e23574921adc1275fe796a02f
SHA1c1e220e02e92b02306db6e1b6a69c8f91937dbeb
SHA256ae7f93e3785bce8bae8a607a357af9d9ad8bda4ba17675c2a41f8bdb23eff78a
SHA512b9c49c846bfec728af5f9b92a5e2d472203999ccecc8725db37aed4f0d8299fa5c693ffd8b4158be01b1c2c98530796b0523f3b7193b356a639db9501f472202
-
memory/3924-132-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-133-0x00000278CB9A0000-0x00000278CB9B0000-memory.dmpFilesize
64KB
-
memory/4276-134-0x00000278CC020000-0x00000278CC030000-memory.dmpFilesize
64KB
-
memory/4276-135-0x00000278CE720000-0x00000278CE724000-memory.dmpFilesize
16KB
-
memory/4848-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB