Analysis
-
max time kernel
156s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:35
Static task
static1
Behavioral task
behavioral1
Sample
06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe
Resource
win10v2004-en-20220113
General
-
Target
06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe
-
Size
216KB
-
MD5
9d2a0fbebdfd383a1eb91f0cc0678825
-
SHA1
e3cb08a1a1031a9d331f168c48640c387343c200
-
SHA256
06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021
-
SHA512
85319908d5566cbbfec31b21811b9f3094f20ea8c95404ee108f179f232bef3f760f60c6526e771d9fb15e2608d97daef2d9fcaab84e025ce1faa62ccd5c2ff3
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3708-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1960-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1960 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exedescription pid process Token: SeShutdownPrivilege 4892 svchost.exe Token: SeCreatePagefilePrivilege 4892 svchost.exe Token: SeShutdownPrivilege 4892 svchost.exe Token: SeCreatePagefilePrivilege 4892 svchost.exe Token: SeShutdownPrivilege 4892 svchost.exe Token: SeCreatePagefilePrivilege 4892 svchost.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeIncBasePriorityPrivilege 3708 06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe Token: SeBackupPrivilege 4664 TiWorker.exe Token: SeRestorePrivilege 4664 TiWorker.exe Token: SeSecurityPrivilege 4664 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.execmd.exedescription pid process target process PID 3708 wrote to memory of 1960 3708 06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe MediaCenter.exe PID 3708 wrote to memory of 1960 3708 06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe MediaCenter.exe PID 3708 wrote to memory of 1960 3708 06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe MediaCenter.exe PID 3708 wrote to memory of 3976 3708 06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe cmd.exe PID 3708 wrote to memory of 3976 3708 06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe cmd.exe PID 3708 wrote to memory of 3976 3708 06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe cmd.exe PID 3976 wrote to memory of 1028 3976 cmd.exe PING.EXE PID 3976 wrote to memory of 1028 3976 cmd.exe PING.EXE PID 3976 wrote to memory of 1028 3976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe"C:\Users\Admin\AppData\Local\Temp\06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06c453220cae156ee74fcd965575a32420a640d5bac832ba404651efa3541021.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
04f0a899adf0dd5817a2e17ee9af8a95
SHA1149d69531010296b0e6217d1c4206fef5ef74772
SHA2565fa2a1066ecb98b0c0412f0a4e18b80e14785f75dd4640be0ac52695b6ee47f4
SHA5126e554ca776f192d3e8e6b171c0706c48c6ee92a2a7d80be3d8cad3115789bd2ce7496fb4396f7e9dc3e3c455281b7602dd435ffa8b2245b4b9c968c8da0e7e2b
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
04f0a899adf0dd5817a2e17ee9af8a95
SHA1149d69531010296b0e6217d1c4206fef5ef74772
SHA2565fa2a1066ecb98b0c0412f0a4e18b80e14785f75dd4640be0ac52695b6ee47f4
SHA5126e554ca776f192d3e8e6b171c0706c48c6ee92a2a7d80be3d8cad3115789bd2ce7496fb4396f7e9dc3e3c455281b7602dd435ffa8b2245b4b9c968c8da0e7e2b
-
memory/1960-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3708-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4892-132-0x0000018DD7790000-0x0000018DD77A0000-memory.dmpFilesize
64KB
-
memory/4892-133-0x0000018DD7E20000-0x0000018DD7E30000-memory.dmpFilesize
64KB
-
memory/4892-134-0x0000018DDA510000-0x0000018DDA514000-memory.dmpFilesize
16KB