Analysis
-
max time kernel
159s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:43
Static task
static1
Behavioral task
behavioral1
Sample
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe
Resource
win10v2004-en-20220113
General
-
Target
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe
-
Size
150KB
-
MD5
ae7a46e3ae6f9a3396c3843bd52d726c
-
SHA1
3cabbbd817c8a53c27011eb8538cd2f1bd22f848
-
SHA256
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde
-
SHA512
600a108effc7a7143a6bc99dcf7ef31be5b19c47da13c00bba7b0833e439c5a700208a21cf4a3a92acd16b058585c5b985cf199f6ee8fdf6a4d6816c12becf70
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 760 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 440 svchost.exe Token: SeCreatePagefilePrivilege 440 svchost.exe Token: SeShutdownPrivilege 440 svchost.exe Token: SeCreatePagefilePrivilege 440 svchost.exe Token: SeShutdownPrivilege 440 svchost.exe Token: SeCreatePagefilePrivilege 440 svchost.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe Token: SeRestorePrivilege 2396 TiWorker.exe Token: SeSecurityPrivilege 2396 TiWorker.exe Token: SeBackupPrivilege 2396 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.execmd.exedescription pid process target process PID 1204 wrote to memory of 760 1204 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe MediaCenter.exe PID 1204 wrote to memory of 760 1204 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe MediaCenter.exe PID 1204 wrote to memory of 760 1204 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe MediaCenter.exe PID 1204 wrote to memory of 4368 1204 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe cmd.exe PID 1204 wrote to memory of 4368 1204 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe cmd.exe PID 1204 wrote to memory of 4368 1204 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe cmd.exe PID 4368 wrote to memory of 4420 4368 cmd.exe PING.EXE PID 4368 wrote to memory of 4420 4368 cmd.exe PING.EXE PID 4368 wrote to memory of 4420 4368 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe"C:\Users\Admin\AppData\Local\Temp\0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:440
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
710116d4d2bc40f8c654535eb04b9cd6
SHA186dac6b4d15e9918d2f1e3f6570bcf6e10462976
SHA2560207f971f69181cd3b3f601deb8a20dde01d662e692c36575f2cd0658fa0dd23
SHA512dc3304fb53bfc8d1615608243014e44ecefe7ff4fed952876c960dd2877d5b46e0b904717228b779ab43408274f5d57310db3310da742f233482ae88879be21d
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
710116d4d2bc40f8c654535eb04b9cd6
SHA186dac6b4d15e9918d2f1e3f6570bcf6e10462976
SHA2560207f971f69181cd3b3f601deb8a20dde01d662e692c36575f2cd0658fa0dd23
SHA512dc3304fb53bfc8d1615608243014e44ecefe7ff4fed952876c960dd2877d5b46e0b904717228b779ab43408274f5d57310db3310da742f233482ae88879be21d
-
memory/440-135-0x00000268F2B60000-0x00000268F2B70000-memory.dmpFilesize
64KB
-
memory/440-136-0x00000268F3120000-0x00000268F3130000-memory.dmpFilesize
64KB
-
memory/440-137-0x00000268F57B0000-0x00000268F57B4000-memory.dmpFilesize
16KB