Analysis
-
max time kernel
163s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe
Resource
win10v2004-en-20220113
General
-
Target
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe
-
Size
216KB
-
MD5
911d8638b650d122df51e315096c9957
-
SHA1
9a203a22ddfe575760da231814aebaddfb6559bc
-
SHA256
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a
-
SHA512
20c978113918ab06a1102ba4aacb4e6ea833115f30047ea93a2eb5f7d000a73cf5a91c84f0e70902f2294a495d28d24344bcd64b0628e495114e2ba53cc120e0
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3608-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1092-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1092 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 5044 svchost.exe Token: SeCreatePagefilePrivilege 5044 svchost.exe Token: SeShutdownPrivilege 5044 svchost.exe Token: SeCreatePagefilePrivilege 5044 svchost.exe Token: SeShutdownPrivilege 5044 svchost.exe Token: SeCreatePagefilePrivilege 5044 svchost.exe Token: SeIncBasePriorityPrivilege 3608 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.execmd.exedescription pid process target process PID 3608 wrote to memory of 1092 3608 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe MediaCenter.exe PID 3608 wrote to memory of 1092 3608 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe MediaCenter.exe PID 3608 wrote to memory of 1092 3608 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe MediaCenter.exe PID 3608 wrote to memory of 2376 3608 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe cmd.exe PID 3608 wrote to memory of 2376 3608 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe cmd.exe PID 3608 wrote to memory of 2376 3608 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe cmd.exe PID 2376 wrote to memory of 3232 2376 cmd.exe PING.EXE PID 2376 wrote to memory of 3232 2376 cmd.exe PING.EXE PID 2376 wrote to memory of 3232 2376 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe"C:\Users\Admin\AppData\Local\Temp\054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4284
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3961eccf484c465924fb5fa83d27d1a6
SHA132e91d4287780cac49affef492bfd13aeef93c4c
SHA2562e44e307afeb366f03248c27e93922ee41b85d482497d347afc5849a1533c304
SHA5129b4bbeadbd7d7fdddce45e6fc480de1b84abcdcc1ed7d2b08ceeca7240aa0fdb7dec1048830a89d5b42ba932fdf5fc066e3ded5c6fba80488092ed7110f23ae8
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3961eccf484c465924fb5fa83d27d1a6
SHA132e91d4287780cac49affef492bfd13aeef93c4c
SHA2562e44e307afeb366f03248c27e93922ee41b85d482497d347afc5849a1533c304
SHA5129b4bbeadbd7d7fdddce45e6fc480de1b84abcdcc1ed7d2b08ceeca7240aa0fdb7dec1048830a89d5b42ba932fdf5fc066e3ded5c6fba80488092ed7110f23ae8
-
memory/1092-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3608-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5044-132-0x0000021AB5F60000-0x0000021AB5F70000-memory.dmpFilesize
64KB
-
memory/5044-133-0x0000021AB6520000-0x0000021AB6530000-memory.dmpFilesize
64KB
-
memory/5044-134-0x0000021AB8BD0000-0x0000021AB8BD4000-memory.dmpFilesize
16KB