Analysis
-
max time kernel
171s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:22
Static task
static1
Behavioral task
behavioral1
Sample
048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe
Resource
win10v2004-en-20220113
General
-
Target
048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe
-
Size
150KB
-
MD5
f43f6771739037b758b90d4da4c86062
-
SHA1
da4515da8bd48778fcc88773ea0408873b6337a9
-
SHA256
048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b
-
SHA512
804c6632c01a87f3179885cf6caf606e9c6484723db3a38ab1dd0f610fa3359d46ae272d6fe591f2ccc9db47ddfa4bc7061cd528fabaeb1eb03996d544871757
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4592 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4648 048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe Token: SeShutdownPrivilege 4452 svchost.exe Token: SeCreatePagefilePrivilege 4452 svchost.exe Token: SeShutdownPrivilege 4452 svchost.exe Token: SeCreatePagefilePrivilege 4452 svchost.exe Token: SeShutdownPrivilege 4452 svchost.exe Token: SeCreatePagefilePrivilege 4452 svchost.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe Token: SeBackupPrivilege 3096 TiWorker.exe Token: SeRestorePrivilege 3096 TiWorker.exe Token: SeSecurityPrivilege 3096 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.execmd.exedescription pid process target process PID 4648 wrote to memory of 4592 4648 048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe MediaCenter.exe PID 4648 wrote to memory of 4592 4648 048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe MediaCenter.exe PID 4648 wrote to memory of 4592 4648 048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe MediaCenter.exe PID 4648 wrote to memory of 4284 4648 048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe cmd.exe PID 4648 wrote to memory of 4284 4648 048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe cmd.exe PID 4648 wrote to memory of 4284 4648 048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe cmd.exe PID 4284 wrote to memory of 1520 4284 cmd.exe PING.EXE PID 4284 wrote to memory of 1520 4284 cmd.exe PING.EXE PID 4284 wrote to memory of 1520 4284 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe"C:\Users\Admin\AppData\Local\Temp\048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\048c5f3f8b78f8529fa95575ccb0775e7170b2a9d14c4cf4e9005b94b375cf2b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
410359bfdd6b973774e9db202d2ea50e
SHA19e638c0b47c1144f8953c61a8170fff385973107
SHA25630b4a149c51f0c187175cde53aed4aff5ff8866311d1af95dc9cd03d0ffcc152
SHA51286bbc3367f9b2cd0cfc7c4eb095935e647b99574ccb2b62bd2c0f3d6d687ee92338524f821d124008b2e8c095bb157939b92e787c2c31d3bec313acb8c355976
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
410359bfdd6b973774e9db202d2ea50e
SHA19e638c0b47c1144f8953c61a8170fff385973107
SHA25630b4a149c51f0c187175cde53aed4aff5ff8866311d1af95dc9cd03d0ffcc152
SHA51286bbc3367f9b2cd0cfc7c4eb095935e647b99574ccb2b62bd2c0f3d6d687ee92338524f821d124008b2e8c095bb157939b92e787c2c31d3bec313acb8c355976
-
memory/4452-135-0x000001C9F3D60000-0x000001C9F3D70000-memory.dmpFilesize
64KB
-
memory/4452-136-0x000001C9F4320000-0x000001C9F4330000-memory.dmpFilesize
64KB
-
memory/4452-137-0x000001C9F69E0000-0x000001C9F69E4000-memory.dmpFilesize
16KB