Analysis
-
max time kernel
157s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:34
Static task
static1
Behavioral task
behavioral1
Sample
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe
Resource
win10v2004-en-20220113
General
-
Target
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe
-
Size
216KB
-
MD5
529e27aa32e8826ebae7581d9ff050ee
-
SHA1
18e17a9d30518a9cbbc4ebb27165ba8c6291eee2
-
SHA256
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985
-
SHA512
7a2126bff313f5322d5aa8bc05a0a4ede68b828e483c492a43a6801ad10f13f0f1a50f0f002eafe471d1c08e9718f4cbbfd44ff564dbe68905debaff7a5f2dfb
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2160-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/2040-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2040 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exedescription pid process Token: SeShutdownPrivilege 4724 svchost.exe Token: SeCreatePagefilePrivilege 4724 svchost.exe Token: SeShutdownPrivilege 4724 svchost.exe Token: SeCreatePagefilePrivilege 4724 svchost.exe Token: SeShutdownPrivilege 4724 svchost.exe Token: SeCreatePagefilePrivilege 4724 svchost.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeIncBasePriorityPrivilege 2160 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe Token: SeBackupPrivilege 1812 TiWorker.exe Token: SeRestorePrivilege 1812 TiWorker.exe Token: SeSecurityPrivilege 1812 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.execmd.exedescription pid process target process PID 2160 wrote to memory of 2040 2160 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe MediaCenter.exe PID 2160 wrote to memory of 2040 2160 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe MediaCenter.exe PID 2160 wrote to memory of 2040 2160 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe MediaCenter.exe PID 2160 wrote to memory of 2100 2160 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe cmd.exe PID 2160 wrote to memory of 2100 2160 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe cmd.exe PID 2160 wrote to memory of 2100 2160 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe cmd.exe PID 2100 wrote to memory of 4120 2100 cmd.exe PING.EXE PID 2100 wrote to memory of 4120 2100 cmd.exe PING.EXE PID 2100 wrote to memory of 4120 2100 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe"C:\Users\Admin\AppData\Local\Temp\06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4120
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8a9fa3de912efe130c897cce0f6c298c
SHA10554a73d049579dfa1633c6a2217783ac1d1fe52
SHA25665dfc3a85acaf137f7b305d57f541f92dec7143554f06f90a51fe93dc20c013a
SHA5120084b38162a5a20649c808c397a7704f2ddce0423c132cd7286782d952f6f164135532011bc7643cf70f6b4ff7900fb5b6bacf44beab8e9eee2a660ce40cb57c
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8a9fa3de912efe130c897cce0f6c298c
SHA10554a73d049579dfa1633c6a2217783ac1d1fe52
SHA25665dfc3a85acaf137f7b305d57f541f92dec7143554f06f90a51fe93dc20c013a
SHA5120084b38162a5a20649c808c397a7704f2ddce0423c132cd7286782d952f6f164135532011bc7643cf70f6b4ff7900fb5b6bacf44beab8e9eee2a660ce40cb57c
-
memory/2040-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2160-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4724-132-0x0000026534720000-0x0000026534730000-memory.dmpFilesize
64KB
-
memory/4724-133-0x0000026534780000-0x0000026534790000-memory.dmpFilesize
64KB
-
memory/4724-134-0x0000026536E30000-0x0000026536E34000-memory.dmpFilesize
16KB