Analysis
-
max time kernel
159s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:38
Static task
static1
Behavioral task
behavioral1
Sample
06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe
Resource
win10v2004-en-20220113
General
-
Target
06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe
-
Size
216KB
-
MD5
4427f94c861db7371e8e896309ed23d7
-
SHA1
2877c1e2bffdaca313039664e807ef8933607426
-
SHA256
06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9
-
SHA512
34f833d3195ac2375406664f16eac2ddcd846bcb36825ef4d0682c8b596d783713ac0166515deea95a3dd85c85a68a0eb75ad84f8313f086693f42193adeac69
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4504-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4060-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4060 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3036 svchost.exe Token: SeCreatePagefilePrivilege 3036 svchost.exe Token: SeShutdownPrivilege 3036 svchost.exe Token: SeCreatePagefilePrivilege 3036 svchost.exe Token: SeShutdownPrivilege 3036 svchost.exe Token: SeCreatePagefilePrivilege 3036 svchost.exe Token: SeIncBasePriorityPrivilege 4504 06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe Token: SeBackupPrivilege 5044 TiWorker.exe Token: SeRestorePrivilege 5044 TiWorker.exe Token: SeSecurityPrivilege 5044 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.execmd.exedescription pid process target process PID 4504 wrote to memory of 4060 4504 06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe MediaCenter.exe PID 4504 wrote to memory of 4060 4504 06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe MediaCenter.exe PID 4504 wrote to memory of 4060 4504 06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe MediaCenter.exe PID 4504 wrote to memory of 1828 4504 06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe cmd.exe PID 4504 wrote to memory of 1828 4504 06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe cmd.exe PID 4504 wrote to memory of 1828 4504 06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe cmd.exe PID 1828 wrote to memory of 1128 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1128 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1128 1828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe"C:\Users\Admin\AppData\Local\Temp\06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06a972ee6ab4e6381dc2e33aaba31a167495acb35a57ec0b41cc8dca433016e9.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
911c900f7109174b71d4fdc97a8dae1e
SHA10ca1c7fa7304afabbe6f5036dbab9db98504b266
SHA25686c5bc9cf893a39d9151de020c0438ec2e61a74860535e2185efd539f260330e
SHA512ab0ffc49bea5af9f607caf483f6a2496a42febc514e7df5610ffc677989ed0944758b85759fb3949a9daafe0ea68874a9b7a84ddf683939671edaf3978b9eee0
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
911c900f7109174b71d4fdc97a8dae1e
SHA10ca1c7fa7304afabbe6f5036dbab9db98504b266
SHA25686c5bc9cf893a39d9151de020c0438ec2e61a74860535e2185efd539f260330e
SHA512ab0ffc49bea5af9f607caf483f6a2496a42febc514e7df5610ffc677989ed0944758b85759fb3949a9daafe0ea68874a9b7a84ddf683939671edaf3978b9eee0
-
memory/3036-132-0x000001A16BB60000-0x000001A16BB70000-memory.dmpFilesize
64KB
-
memory/3036-133-0x000001A16C120000-0x000001A16C130000-memory.dmpFilesize
64KB
-
memory/3036-134-0x000001A16E7C0000-0x000001A16E7C4000-memory.dmpFilesize
16KB
-
memory/4060-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4504-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB