Analysis
-
max time kernel
152s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 12:18
Static task
static1
Behavioral task
behavioral1
Sample
01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe
Resource
win10v2004-en-20220113
General
-
Target
01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe
-
Size
150KB
-
MD5
5efa57299ac5c142337015e90faf1bf4
-
SHA1
912667d20a3025e2dc88e39dfc5dd5659d9bca0c
-
SHA256
01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f
-
SHA512
3cf85389d4c4f7ef5a1fb175ace58e187fb3ede71dda113618042e0a21e439590640cd33ba15e60841f7ce206a50bab15614478dc98aedceeaf5c0746bebe9dc
Malware Config
Signatures
-
Sakula Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001e79d-130.dat family_sakula behavioral2/files/0x000500000001e79d-131.dat family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
pid Process 1996 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4108 PING.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1900 svchost.exe Token: SeCreatePagefilePrivilege 1900 svchost.exe Token: SeShutdownPrivilege 1900 svchost.exe Token: SeCreatePagefilePrivilege 1900 svchost.exe Token: SeShutdownPrivilege 1900 svchost.exe Token: SeCreatePagefilePrivilege 1900 svchost.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeIncBasePriorityPrivilege 4676 01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe Token: SeBackupPrivilege 4528 TiWorker.exe Token: SeRestorePrivilege 4528 TiWorker.exe Token: SeSecurityPrivilege 4528 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4676 wrote to memory of 1996 4676 01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe 82 PID 4676 wrote to memory of 1996 4676 01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe 82 PID 4676 wrote to memory of 1996 4676 01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe 82 PID 4676 wrote to memory of 788 4676 01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe 101 PID 4676 wrote to memory of 788 4676 01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe 101 PID 4676 wrote to memory of 788 4676 01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe 101 PID 788 wrote to memory of 4108 788 cmd.exe 103 PID 788 wrote to memory of 4108 788 cmd.exe 103 PID 788 wrote to memory of 4108 788 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe"C:\Users\Admin\AppData\Local\Temp\01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1996
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\01eb8f0fac9fd0468af410a465e33efaca495f987e560b8b37bc8db708ec0a1f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4108
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4528