Analysis
-
max time kernel
166s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:18
Static task
static1
Behavioral task
behavioral1
Sample
04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe
Resource
win10v2004-en-20220113
General
-
Target
04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe
-
Size
188KB
-
MD5
c5886598e7a068ed4da4048a2779597a
-
SHA1
64fa69cffaf1b9e1e7f691aac0945569909bd15c
-
SHA256
04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354
-
SHA512
2ced7f6eea7629e03e18ad74224eb51f407d51f5490a00d4e77c5b17b875cb10d2663bb295ae211cd150bad496ea7ede3210d87969d64da763912e5fa1c9f6cb
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3060-138-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4976-139-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4976 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3060 04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe Token: SeShutdownPrivilege 4144 svchost.exe Token: SeCreatePagefilePrivilege 4144 svchost.exe Token: SeShutdownPrivilege 4144 svchost.exe Token: SeCreatePagefilePrivilege 4144 svchost.exe Token: SeShutdownPrivilege 4144 svchost.exe Token: SeCreatePagefilePrivilege 4144 svchost.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe Token: SeBackupPrivilege 3164 TiWorker.exe Token: SeRestorePrivilege 3164 TiWorker.exe Token: SeSecurityPrivilege 3164 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.execmd.exedescription pid process target process PID 3060 wrote to memory of 4976 3060 04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe MediaCenter.exe PID 3060 wrote to memory of 4976 3060 04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe MediaCenter.exe PID 3060 wrote to memory of 4976 3060 04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe MediaCenter.exe PID 3060 wrote to memory of 2820 3060 04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe cmd.exe PID 3060 wrote to memory of 2820 3060 04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe cmd.exe PID 3060 wrote to memory of 2820 3060 04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe cmd.exe PID 2820 wrote to memory of 2880 2820 cmd.exe PING.EXE PID 2820 wrote to memory of 2880 2820 cmd.exe PING.EXE PID 2820 wrote to memory of 2880 2820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe"C:\Users\Admin\AppData\Local\Temp\04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04b925c26b1fb3610ced0dfc22885c3cc3f18b23409754197a4a7081cf376354.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2880
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7314e0d7dee33f7cc41322a8e6dc6b1b
SHA1d2dcd959fa7e724a0e833e9bb9e9bb702e10e2f5
SHA256ace5d6073bbcef3c1a4a6a889f292cede65628ab80927b1e129c874ada4a6f87
SHA512f886077f45625161575729e92594f6f054b4d5dd8c392b905205b6351943d838216817ba489714b754ad60d7254ddf0150e8ac133bff81f2114629e1615037d4
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7314e0d7dee33f7cc41322a8e6dc6b1b
SHA1d2dcd959fa7e724a0e833e9bb9e9bb702e10e2f5
SHA256ace5d6073bbcef3c1a4a6a889f292cede65628ab80927b1e129c874ada4a6f87
SHA512f886077f45625161575729e92594f6f054b4d5dd8c392b905205b6351943d838216817ba489714b754ad60d7254ddf0150e8ac133bff81f2114629e1615037d4
-
memory/3060-138-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4144-135-0x000002C107820000-0x000002C107830000-memory.dmpFilesize
64KB
-
memory/4144-136-0x000002C107880000-0x000002C107890000-memory.dmpFilesize
64KB
-
memory/4144-137-0x000002C109F50000-0x000002C109F54000-memory.dmpFilesize
16KB
-
memory/4976-139-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB