Analysis
-
max time kernel
168s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:06
Static task
static1
Behavioral task
behavioral1
Sample
05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe
Resource
win10v2004-en-20220113
General
-
Target
05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe
-
Size
150KB
-
MD5
9acab2d262159c11d858ee3bd42ba26d
-
SHA1
a7bc5ce5b6e124b763a6e692bb6d38aecffa10ef
-
SHA256
05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f
-
SHA512
094751da6a28970e4407a32cacf0f5571f7b1c80d2d279b99ff63db0e90afcf6881020b56239b6096a17dcdc9b384a587fa5ea87d934f5c92ad9f91b278876fb
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3184 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4892 svchost.exe Token: SeCreatePagefilePrivilege 4892 svchost.exe Token: SeShutdownPrivilege 4892 svchost.exe Token: SeCreatePagefilePrivilege 4892 svchost.exe Token: SeShutdownPrivilege 4892 svchost.exe Token: SeCreatePagefilePrivilege 4892 svchost.exe Token: SeIncBasePriorityPrivilege 4548 05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.execmd.exedescription pid process target process PID 4548 wrote to memory of 3184 4548 05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe MediaCenter.exe PID 4548 wrote to memory of 3184 4548 05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe MediaCenter.exe PID 4548 wrote to memory of 3184 4548 05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe MediaCenter.exe PID 4548 wrote to memory of 2500 4548 05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe cmd.exe PID 4548 wrote to memory of 2500 4548 05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe cmd.exe PID 4548 wrote to memory of 2500 4548 05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe cmd.exe PID 2500 wrote to memory of 1520 2500 cmd.exe PING.EXE PID 2500 wrote to memory of 1520 2500 cmd.exe PING.EXE PID 2500 wrote to memory of 1520 2500 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe"C:\Users\Admin\AppData\Local\Temp\05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05515a727b4081778be62772566aa41d95b66822a05c8367f3a9a0b16686bc9f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
382f158076397fc73d148d463f549c8b
SHA11926375ca24392a2bc8cd23e55d526760ae7dfa9
SHA256ab94cc0759d707b0cc3a1c347943d5a58bc5f0f4dbbc470e3c40d925edf5ce3b
SHA5121d0ee3360c6b6dc035a5e880bb11b99eb85199360f24f7714f3668c0a9c11c1ee65f867ecaffa72846afd50e60a9d4aae3621ec868e701eb42ea98f3325326f2
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
382f158076397fc73d148d463f549c8b
SHA11926375ca24392a2bc8cd23e55d526760ae7dfa9
SHA256ab94cc0759d707b0cc3a1c347943d5a58bc5f0f4dbbc470e3c40d925edf5ce3b
SHA5121d0ee3360c6b6dc035a5e880bb11b99eb85199360f24f7714f3668c0a9c11c1ee65f867ecaffa72846afd50e60a9d4aae3621ec868e701eb42ea98f3325326f2
-
memory/4892-132-0x0000014C56160000-0x0000014C56170000-memory.dmpFilesize
64KB
-
memory/4892-133-0x0000014C56720000-0x0000014C56730000-memory.dmpFilesize
64KB
-
memory/4892-134-0x0000014C58DA0000-0x0000014C58DA4000-memory.dmpFilesize
16KB