Analysis
-
max time kernel
157s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:17
Static task
static1
Behavioral task
behavioral1
Sample
07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exe
Resource
win10v2004-en-20220113
General
-
Target
07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exe
-
Size
92KB
-
MD5
dfdba3ec8b6b8b204ee1aae2a9b46c69
-
SHA1
c11a4d773ab93c0fc933f075611d72eb3d7d59c4
-
SHA256
07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3
-
SHA512
02a5d48b039f16311ca2df62a62dc87e63fe251e8c6f4584de5d344e4d9c3e22746c39922f0f3e17377d370039332e797d2d177f74b0604787f2892ab83e7ec5
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4736 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4456 svchost.exe Token: SeCreatePagefilePrivilege 4456 svchost.exe Token: SeShutdownPrivilege 4456 svchost.exe Token: SeCreatePagefilePrivilege 4456 svchost.exe Token: SeShutdownPrivilege 4456 svchost.exe Token: SeCreatePagefilePrivilege 4456 svchost.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe Token: SeRestorePrivilege 4692 TiWorker.exe Token: SeSecurityPrivilege 4692 TiWorker.exe Token: SeBackupPrivilege 4692 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.execmd.exedescription pid process target process PID 4148 wrote to memory of 4736 4148 07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exe MediaCenter.exe PID 4148 wrote to memory of 4736 4148 07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exe MediaCenter.exe PID 4148 wrote to memory of 4736 4148 07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exe MediaCenter.exe PID 4148 wrote to memory of 4976 4148 07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exe cmd.exe PID 4148 wrote to memory of 4976 4148 07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exe cmd.exe PID 4148 wrote to memory of 4976 4148 07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exe cmd.exe PID 4976 wrote to memory of 4340 4976 cmd.exe PING.EXE PID 4976 wrote to memory of 4340 4976 cmd.exe PING.EXE PID 4976 wrote to memory of 4340 4976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exe"C:\Users\Admin\AppData\Local\Temp\07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07aa8c466ed795395f27a537782d6981cc538dcd6f077808c56fa66b3a4f9fb3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4692
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d86a892d85b9529f5d592eb5f701d202
SHA18b30bc59d4cbf45594265dfbb9c7a5a3b86075af
SHA256dc5750a0f5ac3e428649b520dc1cc362581cf13c16b75b4bb4e7cff31b1ec0ce
SHA5120ec1e8436a42a625a070c59a7833b0a483969556b2de433e4f6dda901e73343e0841e7626a83fe6f77e7c51b649be59f6fd6524914fcf2a65e262039e3722c41
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d86a892d85b9529f5d592eb5f701d202
SHA18b30bc59d4cbf45594265dfbb9c7a5a3b86075af
SHA256dc5750a0f5ac3e428649b520dc1cc362581cf13c16b75b4bb4e7cff31b1ec0ce
SHA5120ec1e8436a42a625a070c59a7833b0a483969556b2de433e4f6dda901e73343e0841e7626a83fe6f77e7c51b649be59f6fd6524914fcf2a65e262039e3722c41
-
memory/4456-132-0x0000019EF3130000-0x0000019EF3140000-memory.dmpFilesize
64KB
-
memory/4456-133-0x0000019EF3190000-0x0000019EF31A0000-memory.dmpFilesize
64KB
-
memory/4456-134-0x0000019EF5E70000-0x0000019EF5E74000-memory.dmpFilesize
16KB