Analysis
-
max time kernel
154s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:41
Static task
static1
Behavioral task
behavioral1
Sample
066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe
Resource
win10v2004-en-20220113
General
-
Target
066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe
-
Size
216KB
-
MD5
9f2f00932c135461259516bb984502fa
-
SHA1
ea2c6f9f57687c40660ff5da508b346ac819fe99
-
SHA256
066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750
-
SHA512
2787318440464bfb812dd1b3d2101301a8b86910b808be6d6a7876d5abcbd57c4b3978bdc7223cbfbe4ba5ee60d1a87c65cf6959a7b9841d0b9d9bb815afc51c
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1448-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/2848-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2848 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1116 svchost.exe Token: SeCreatePagefilePrivilege 1116 svchost.exe Token: SeShutdownPrivilege 1116 svchost.exe Token: SeCreatePagefilePrivilege 1116 svchost.exe Token: SeShutdownPrivilege 1116 svchost.exe Token: SeCreatePagefilePrivilege 1116 svchost.exe Token: SeIncBasePriorityPrivilege 1448 066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe Token: SeBackupPrivilege 1924 TiWorker.exe Token: SeRestorePrivilege 1924 TiWorker.exe Token: SeSecurityPrivilege 1924 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.execmd.exedescription pid process target process PID 1448 wrote to memory of 2848 1448 066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe MediaCenter.exe PID 1448 wrote to memory of 2848 1448 066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe MediaCenter.exe PID 1448 wrote to memory of 2848 1448 066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe MediaCenter.exe PID 1448 wrote to memory of 776 1448 066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe cmd.exe PID 1448 wrote to memory of 776 1448 066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe cmd.exe PID 1448 wrote to memory of 776 1448 066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe cmd.exe PID 776 wrote to memory of 4868 776 cmd.exe PING.EXE PID 776 wrote to memory of 4868 776 cmd.exe PING.EXE PID 776 wrote to memory of 4868 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe"C:\Users\Admin\AppData\Local\Temp\066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\066d01d08a9aa6244fa7d32bd1495e33328bc42cab78b58a779153591b01f750.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2db6afb10693f5d78c05ecfc96a1847c
SHA17970fc88da622fc783c0386c7f6d513b228d91f9
SHA256d3fd812fb1834ac18d50787012548301f105d6f621191770448234fcc1f6343d
SHA5125ccb74382e6a72e244e97a44e8c1b7dfaf6f6c78eb62142cbf42aabcf3ad5a52550824e3542bcd930c04675759cefa2397bf14099790505d71579f571481ca5b
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2db6afb10693f5d78c05ecfc96a1847c
SHA17970fc88da622fc783c0386c7f6d513b228d91f9
SHA256d3fd812fb1834ac18d50787012548301f105d6f621191770448234fcc1f6343d
SHA5125ccb74382e6a72e244e97a44e8c1b7dfaf6f6c78eb62142cbf42aabcf3ad5a52550824e3542bcd930c04675759cefa2397bf14099790505d71579f571481ca5b
-
memory/1116-133-0x0000026F0EB60000-0x0000026F0EB70000-memory.dmpFilesize
64KB
-
memory/1116-132-0x0000026F0E380000-0x0000026F0E390000-memory.dmpFilesize
64KB
-
memory/1116-134-0x0000026F11760000-0x0000026F11764000-memory.dmpFilesize
16KB
-
memory/1448-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2848-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB