Analysis
-
max time kernel
151s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:16
Static task
static1
Behavioral task
behavioral1
Sample
04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe
Resource
win10v2004-en-20220113
General
-
Target
04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe
-
Size
150KB
-
MD5
cbd00ac3ea7fb49eed57a5d19b1d60da
-
SHA1
d07f81e9d4aabc8591ab94e860eae9e6fb2a2359
-
SHA256
04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2
-
SHA512
f96a99d1541b3cc3d41bcad2490febd12d973206fc90de65f3a3106419cef8f449242ebd26b62f0e27bd507e7c57d7f9145ed88c42b5e2e3031dcabbaee91750
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1580 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2168 svchost.exe Token: SeCreatePagefilePrivilege 2168 svchost.exe Token: SeShutdownPrivilege 2168 svchost.exe Token: SeCreatePagefilePrivilege 2168 svchost.exe Token: SeShutdownPrivilege 2168 svchost.exe Token: SeCreatePagefilePrivilege 2168 svchost.exe Token: SeIncBasePriorityPrivilege 3292 04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe Token: SeBackupPrivilege 4184 TiWorker.exe Token: SeRestorePrivilege 4184 TiWorker.exe Token: SeSecurityPrivilege 4184 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.execmd.exedescription pid process target process PID 3292 wrote to memory of 1580 3292 04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe MediaCenter.exe PID 3292 wrote to memory of 1580 3292 04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe MediaCenter.exe PID 3292 wrote to memory of 1580 3292 04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe MediaCenter.exe PID 3292 wrote to memory of 3900 3292 04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe cmd.exe PID 3292 wrote to memory of 3900 3292 04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe cmd.exe PID 3292 wrote to memory of 3900 3292 04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe cmd.exe PID 3900 wrote to memory of 1876 3900 cmd.exe PING.EXE PID 3900 wrote to memory of 1876 3900 cmd.exe PING.EXE PID 3900 wrote to memory of 1876 3900 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe"C:\Users\Admin\AppData\Local\Temp\04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04d3415c5fd7ba2854f244e83d9f5012a4c9044f5517847a81f0d17e35bb40f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
bf005bdcf06cfc9653af96d341a2d916
SHA13027142c4c5a9e5b96d8cdbf5f0db21e548a4e72
SHA25635275d074c0ae8a6973d130e31438aea33b21fd58aab7b95c4019e282afeb590
SHA5124dc07caed02dbf70e18c521d7f3ae64720a859794223b122ef1e92509fb009596c7df1484807e02f8ea2598aaf4d4b79a7814bc9793fc4ec8caa7dee47ab5d95
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
bf005bdcf06cfc9653af96d341a2d916
SHA13027142c4c5a9e5b96d8cdbf5f0db21e548a4e72
SHA25635275d074c0ae8a6973d130e31438aea33b21fd58aab7b95c4019e282afeb590
SHA5124dc07caed02dbf70e18c521d7f3ae64720a859794223b122ef1e92509fb009596c7df1484807e02f8ea2598aaf4d4b79a7814bc9793fc4ec8caa7dee47ab5d95
-
memory/2168-132-0x000001DBE4730000-0x000001DBE4740000-memory.dmpFilesize
64KB
-
memory/2168-133-0x000001DBE4790000-0x000001DBE47A0000-memory.dmpFilesize
64KB
-
memory/2168-134-0x000001DBE7470000-0x000001DBE7474000-memory.dmpFilesize
16KB