Analysis
-
max time kernel
156s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:36
Static task
static1
Behavioral task
behavioral1
Sample
06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe
Resource
win10v2004-en-20220113
General
-
Target
06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe
-
Size
216KB
-
MD5
679c7f808e4fc616993e23faf657694a
-
SHA1
d968b75e88309ea6ee57e00b4af5fee4462d4399
-
SHA256
06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456
-
SHA512
9ab2f516e40b15f9a9b13b7395e524904345e6c589939fdc08e69ca214b1183b54c1a67fd9be7e26c259cb9ab96a035e4672d1380dd83afdcfb37dbe6b1701c2
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/5028-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4596-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4596 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exedescription pid process Token: SeShutdownPrivilege 700 svchost.exe Token: SeCreatePagefilePrivilege 700 svchost.exe Token: SeShutdownPrivilege 700 svchost.exe Token: SeCreatePagefilePrivilege 700 svchost.exe Token: SeShutdownPrivilege 700 svchost.exe Token: SeCreatePagefilePrivilege 700 svchost.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeIncBasePriorityPrivilege 5028 06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.execmd.exedescription pid process target process PID 5028 wrote to memory of 4596 5028 06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe MediaCenter.exe PID 5028 wrote to memory of 4596 5028 06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe MediaCenter.exe PID 5028 wrote to memory of 4596 5028 06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe MediaCenter.exe PID 5028 wrote to memory of 1064 5028 06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe cmd.exe PID 5028 wrote to memory of 1064 5028 06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe cmd.exe PID 5028 wrote to memory of 1064 5028 06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe cmd.exe PID 1064 wrote to memory of 4896 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 4896 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 4896 1064 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe"C:\Users\Admin\AppData\Local\Temp\06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06b4d7c425165ee70c02e9f946cf9ce7228bd0f5ef0814548112d1151f641456.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:700
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a186159dc84f1b6872cffae84758e3fa
SHA132fca5b222ca4c2637056693ab6c9efa8c2b8e07
SHA2560c82976d6ca5f1de25b8fa4eb6aea2c1f03f7f1e34bc93d796a3b514c7799b6b
SHA5123d824ab157c7b2f9f0bdcb449a4ad8e0b805f8260716ed50fd74a47e72a3e25a3051f272890257fbeb5e8169536806e7f690e95b579444b5ef1d344f016ac838
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a186159dc84f1b6872cffae84758e3fa
SHA132fca5b222ca4c2637056693ab6c9efa8c2b8e07
SHA2560c82976d6ca5f1de25b8fa4eb6aea2c1f03f7f1e34bc93d796a3b514c7799b6b
SHA5123d824ab157c7b2f9f0bdcb449a4ad8e0b805f8260716ed50fd74a47e72a3e25a3051f272890257fbeb5e8169536806e7f690e95b579444b5ef1d344f016ac838
-
memory/700-132-0x000001F136720000-0x000001F136730000-memory.dmpFilesize
64KB
-
memory/700-133-0x000001F136780000-0x000001F136790000-memory.dmpFilesize
64KB
-
memory/700-134-0x000001F138E60000-0x000001F138E64000-memory.dmpFilesize
16KB
-
memory/4596-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5028-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB