Analysis
-
max time kernel
155s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:15
Static task
static1
Behavioral task
behavioral1
Sample
04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe
Resource
win10v2004-en-20220113
General
-
Target
04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe
-
Size
150KB
-
MD5
226d29af0c0e1696b63548223b75c576
-
SHA1
911878e64a3b0f6fd2dc4de44e059cbf48aab20f
-
SHA256
04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f
-
SHA512
f1dbfba619c4870695d012f64d5a2b590b2e36ccb3aa82ff1592a5c2cf8a3d85ccd5a52e0a8f5da5ee2876877fccfbf55c04030d1fa3ed2dfa6cbf066e92e232
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2872 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4392 04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe Token: SeShutdownPrivilege 3496 svchost.exe Token: SeCreatePagefilePrivilege 3496 svchost.exe Token: SeShutdownPrivilege 3496 svchost.exe Token: SeCreatePagefilePrivilege 3496 svchost.exe Token: SeShutdownPrivilege 3496 svchost.exe Token: SeCreatePagefilePrivilege 3496 svchost.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe Token: SeBackupPrivilege 3344 TiWorker.exe Token: SeRestorePrivilege 3344 TiWorker.exe Token: SeSecurityPrivilege 3344 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.execmd.exedescription pid process target process PID 4392 wrote to memory of 2872 4392 04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe MediaCenter.exe PID 4392 wrote to memory of 2872 4392 04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe MediaCenter.exe PID 4392 wrote to memory of 2872 4392 04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe MediaCenter.exe PID 4392 wrote to memory of 4460 4392 04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe cmd.exe PID 4392 wrote to memory of 4460 4392 04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe cmd.exe PID 4392 wrote to memory of 4460 4392 04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe cmd.exe PID 4460 wrote to memory of 4112 4460 cmd.exe PING.EXE PID 4460 wrote to memory of 4112 4460 cmd.exe PING.EXE PID 4460 wrote to memory of 4112 4460 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe"C:\Users\Admin\AppData\Local\Temp\04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04daf5ab168d8d07e9b8d4f7d07d88b0425c8cc7288b2cf92c65a5b21eda984f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3344
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c6cff394c2d2b0931641405e6a3c9f4d
SHA18462064599d21ad927eac494a1da061a5d35bcf6
SHA256ff5b480289efaf60f85eb1f8906fcbf4c81554b2858224676add1c650ac71e43
SHA512961b54651446b0c66be61ecfe156ae57cdd2ad404595e4977f096f7a34e321e406caee473816db03d77a428103821080ddb68aa8001926de30e5a8b4f779850b
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c6cff394c2d2b0931641405e6a3c9f4d
SHA18462064599d21ad927eac494a1da061a5d35bcf6
SHA256ff5b480289efaf60f85eb1f8906fcbf4c81554b2858224676add1c650ac71e43
SHA512961b54651446b0c66be61ecfe156ae57cdd2ad404595e4977f096f7a34e321e406caee473816db03d77a428103821080ddb68aa8001926de30e5a8b4f779850b
-
memory/3496-132-0x00000256EE560000-0x00000256EE570000-memory.dmpFilesize
64KB
-
memory/3496-133-0x00000256EEC20000-0x00000256EEC30000-memory.dmpFilesize
64KB
-
memory/3496-134-0x00000256F12E0000-0x00000256F12E4000-memory.dmpFilesize
16KB