Analysis
-
max time kernel
137s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 12:20
Static task
static1
Behavioral task
behavioral1
Sample
01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe
Resource
win10v2004-en-20220113
General
-
Target
01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe
-
Size
150KB
-
MD5
d01cddec757b037d8709b5a489b1f070
-
SHA1
f9ff9e4caaaf05f9dc4c8eb9bc2082e717a4dce3
-
SHA256
01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804
-
SHA512
52c6b4110833ccbc300cec69fd2d26e17583e3fefee68816998b6a30dd0643c71b7b24a774a42d2e4e991aaae7f5fc0f91511648aa7538d46e37dcaa40dde232
Malware Config
Signatures
-
Sakula Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001e7cf-130.dat family_sakula behavioral2/files/0x000500000001e7cf-131.dat family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
pid Process 2700 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3596 PING.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1940 01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe Token: SeShutdownPrivilege 2484 svchost.exe Token: SeCreatePagefilePrivilege 2484 svchost.exe Token: SeShutdownPrivilege 2484 svchost.exe Token: SeCreatePagefilePrivilege 2484 svchost.exe Token: SeShutdownPrivilege 2484 svchost.exe Token: SeCreatePagefilePrivilege 2484 svchost.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe Token: SeBackupPrivilege 3372 TiWorker.exe Token: SeRestorePrivilege 3372 TiWorker.exe Token: SeSecurityPrivilege 3372 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1940 wrote to memory of 2700 1940 01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe 81 PID 1940 wrote to memory of 2700 1940 01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe 81 PID 1940 wrote to memory of 2700 1940 01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe 81 PID 1940 wrote to memory of 2884 1940 01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe 89 PID 1940 wrote to memory of 2884 1940 01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe 89 PID 1940 wrote to memory of 2884 1940 01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe 89 PID 2884 wrote to memory of 3596 2884 cmd.exe 91 PID 2884 wrote to memory of 3596 2884 cmd.exe 91 PID 2884 wrote to memory of 3596 2884 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe"C:\Users\Admin\AppData\Local\Temp\01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2700
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\01d187ee2ff476f6012d1d2282b1add255ee925816f1c8aa45e3fd5d4b937804.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3596
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3372