Analysis
-
max time kernel
143s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:29
Static task
static1
Behavioral task
behavioral1
Sample
044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe
Resource
win10v2004-en-20220113
General
-
Target
044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe
-
Size
176KB
-
MD5
eb50f48549d066e6931d801fe61a8d3a
-
SHA1
dfe3803a529091d392ecaaf3a372cb74b7cb881f
-
SHA256
044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d
-
SHA512
e484ef727e59f67b802b49c1d2de6c1746dd7073b50eabd70164d14e558426b7666f6870124c7bfddeb6fadc81321a0762a5f4ff693af25a77e68f4e87a0282e
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2468-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/5000-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 5000 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2468 044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe Token: SeShutdownPrivilege 540 svchost.exe Token: SeCreatePagefilePrivilege 540 svchost.exe Token: SeShutdownPrivilege 540 svchost.exe Token: SeCreatePagefilePrivilege 540 svchost.exe Token: SeShutdownPrivilege 540 svchost.exe Token: SeCreatePagefilePrivilege 540 svchost.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe Token: SeBackupPrivilege 4544 TiWorker.exe Token: SeRestorePrivilege 4544 TiWorker.exe Token: SeSecurityPrivilege 4544 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.execmd.exedescription pid process target process PID 2468 wrote to memory of 5000 2468 044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe MediaCenter.exe PID 2468 wrote to memory of 5000 2468 044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe MediaCenter.exe PID 2468 wrote to memory of 5000 2468 044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe MediaCenter.exe PID 2468 wrote to memory of 736 2468 044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe cmd.exe PID 2468 wrote to memory of 736 2468 044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe cmd.exe PID 2468 wrote to memory of 736 2468 044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe cmd.exe PID 736 wrote to memory of 4464 736 cmd.exe PING.EXE PID 736 wrote to memory of 4464 736 cmd.exe PING.EXE PID 736 wrote to memory of 4464 736 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe"C:\Users\Admin\AppData\Local\Temp\044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\044586bb186baf861cfd02a5710ab476ee5b53741c5da96a2d7bdb3606b3696d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:540
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f4c9edcca5e005eff180050ff1048550
SHA1c9cde7fffab752f724ba5dca85b45547d47c0408
SHA2562db980c8649053127f8187aa38dd9d146d18922e0471b167e38d081811f8f3c9
SHA5123fdd2bd7fb7a2b030285c7282587e4fb6e04d8bb0ba9098ebd6fd20912d07059f6b885c79df862a630c34c81869b019373d33066915b9ca0be031a9ba36d8515
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f4c9edcca5e005eff180050ff1048550
SHA1c9cde7fffab752f724ba5dca85b45547d47c0408
SHA2562db980c8649053127f8187aa38dd9d146d18922e0471b167e38d081811f8f3c9
SHA5123fdd2bd7fb7a2b030285c7282587e4fb6e04d8bb0ba9098ebd6fd20912d07059f6b885c79df862a630c34c81869b019373d33066915b9ca0be031a9ba36d8515
-
memory/540-133-0x0000016747990000-0x00000167479A0000-memory.dmpFilesize
64KB
-
memory/540-134-0x0000016748020000-0x0000016748030000-memory.dmpFilesize
64KB
-
memory/540-135-0x000001674A710000-0x000001674A714000-memory.dmpFilesize
16KB
-
memory/2468-132-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5000-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB