Analysis
-
max time kernel
150s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:51
Static task
static1
Behavioral task
behavioral1
Sample
1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe
Resource
win10v2004-en-20220113
General
-
Target
1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe
-
Size
108KB
-
MD5
83c6de77e1428309ccbe44c4d12d52a0
-
SHA1
ddecfd3a87e03efebf70fee9d66d17df9997a6aa
-
SHA256
1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8
-
SHA512
d73d07d674c5b7b46f3fef7c2e0f3b4d74d9a797609c7349a0da07121f6c83374bb5f30e91eaf565e949787bb51a63c8ae8291fad6594a7689b65454b6e1f948
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1392 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2152 svchost.exe Token: SeCreatePagefilePrivilege 2152 svchost.exe Token: SeShutdownPrivilege 2152 svchost.exe Token: SeCreatePagefilePrivilege 2152 svchost.exe Token: SeShutdownPrivilege 2152 svchost.exe Token: SeCreatePagefilePrivilege 2152 svchost.exe Token: SeIncBasePriorityPrivilege 5028 1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe Token: SeBackupPrivilege 3108 TiWorker.exe Token: SeRestorePrivilege 3108 TiWorker.exe Token: SeSecurityPrivilege 3108 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.execmd.exedescription pid process target process PID 5028 wrote to memory of 1392 5028 1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe MediaCenter.exe PID 5028 wrote to memory of 1392 5028 1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe MediaCenter.exe PID 5028 wrote to memory of 1392 5028 1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe MediaCenter.exe PID 5028 wrote to memory of 4288 5028 1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe cmd.exe PID 5028 wrote to memory of 4288 5028 1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe cmd.exe PID 5028 wrote to memory of 4288 5028 1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe cmd.exe PID 4288 wrote to memory of 628 4288 cmd.exe PING.EXE PID 4288 wrote to memory of 628 4288 cmd.exe PING.EXE PID 4288 wrote to memory of 628 4288 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe"C:\Users\Admin\AppData\Local\Temp\1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1948b8cc0e1695e48898cc50ee35f4c833efd9b4c0f044f749eb9681317b12b8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
867dbe9788e42f9d222b4d4e3e2766a9
SHA191c6b0c2e331219294e39f0ef7ff810efe3a1047
SHA25683adeac7eb6b208b14cae9eb83ea4111abcbddd9fdd461d8856a10db8a5a0d12
SHA5123c8a13539157c03f5706e64de9eb0856b982aca5dcf2545fec12bc6d475520f363c2b2c1d80daa5ad077526add824ded590f225370d75d8de2eddfb8776766ea
-
MD5
867dbe9788e42f9d222b4d4e3e2766a9
SHA191c6b0c2e331219294e39f0ef7ff810efe3a1047
SHA25683adeac7eb6b208b14cae9eb83ea4111abcbddd9fdd461d8856a10db8a5a0d12
SHA5123c8a13539157c03f5706e64de9eb0856b982aca5dcf2545fec12bc6d475520f363c2b2c1d80daa5ad077526add824ded590f225370d75d8de2eddfb8776766ea