Analysis
-
max time kernel
154s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:09
Static task
static1
Behavioral task
behavioral1
Sample
053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe
Resource
win10v2004-en-20220113
General
-
Target
053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe
-
Size
176KB
-
MD5
bda08172058dabe17669a15792ef6c5d
-
SHA1
778b3eb3adc8f18c2ec0d62a865755fd7b9783cf
-
SHA256
053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b
-
SHA512
45b4799d7c947c243e07d7ebc900fccfaf7ef34b497957481cb6c87c91eacb227561d1377b7fc8c03e2aebac8e12ef684013943fbe486506f6be5ec05fbb7911
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/728-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1164-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1164 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exedescription pid process Token: SeShutdownPrivilege 4700 svchost.exe Token: SeCreatePagefilePrivilege 4700 svchost.exe Token: SeShutdownPrivilege 4700 svchost.exe Token: SeCreatePagefilePrivilege 4700 svchost.exe Token: SeShutdownPrivilege 4700 svchost.exe Token: SeCreatePagefilePrivilege 4700 svchost.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeIncBasePriorityPrivilege 728 053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe Token: SeBackupPrivilege 2444 TiWorker.exe Token: SeRestorePrivilege 2444 TiWorker.exe Token: SeSecurityPrivilege 2444 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.execmd.exedescription pid process target process PID 728 wrote to memory of 1164 728 053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe MediaCenter.exe PID 728 wrote to memory of 1164 728 053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe MediaCenter.exe PID 728 wrote to memory of 1164 728 053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe MediaCenter.exe PID 728 wrote to memory of 3112 728 053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe cmd.exe PID 728 wrote to memory of 3112 728 053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe cmd.exe PID 728 wrote to memory of 3112 728 053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe cmd.exe PID 3112 wrote to memory of 1144 3112 cmd.exe PING.EXE PID 3112 wrote to memory of 1144 3112 cmd.exe PING.EXE PID 3112 wrote to memory of 1144 3112 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe"C:\Users\Admin\AppData\Local\Temp\053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\053423d7d25a48cb85f4eac24bbf30b263548118536e364c5ef5c8fea45d555b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2444
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
666303d0ffb10f74e80259eadd227279
SHA1a27ac0bbc68c01f72889b5d277e298898bb45207
SHA256b1e0f4ff91940ec55ad5d2103990655e22784c2da549083efec49d51a28ae9cf
SHA51291df5f9d42aca381a85f2dd4eb95b891e45000ac614991c18feaeea38080c660d9fb3930c2e90cb02e286c534202186a5dacdc0bdb743461152948deb2964882
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
666303d0ffb10f74e80259eadd227279
SHA1a27ac0bbc68c01f72889b5d277e298898bb45207
SHA256b1e0f4ff91940ec55ad5d2103990655e22784c2da549083efec49d51a28ae9cf
SHA51291df5f9d42aca381a85f2dd4eb95b891e45000ac614991c18feaeea38080c660d9fb3930c2e90cb02e286c534202186a5dacdc0bdb743461152948deb2964882
-
memory/728-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1164-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4700-132-0x000001203A780000-0x000001203A790000-memory.dmpFilesize
64KB
-
memory/4700-133-0x000001203AF60000-0x000001203AF70000-memory.dmpFilesize
64KB
-
memory/4700-134-0x000001203DB60000-0x000001203DB64000-memory.dmpFilesize
16KB