Analysis
-
max time kernel
139s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:56
Static task
static1
Behavioral task
behavioral1
Sample
1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exe
Resource
win10v2004-en-20220113
General
-
Target
1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exe
-
Size
92KB
-
MD5
028ffb4533db82668a3e530e66c1a47e
-
SHA1
54f3136238f97437819073c6222f8784a5b51d2c
-
SHA256
1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6
-
SHA512
1dc871238680f891ad4d0208fb87d3309b3f0489e5dce23b56013973470e4e0fa4e7c34aa1f29f3a55b39e461c3419dfa80ddd632b1d73d3c24ac1b7449096ba
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4288 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1792 svchost.exe Token: SeCreatePagefilePrivilege 1792 svchost.exe Token: SeShutdownPrivilege 1792 svchost.exe Token: SeCreatePagefilePrivilege 1792 svchost.exe Token: SeShutdownPrivilege 1792 svchost.exe Token: SeCreatePagefilePrivilege 1792 svchost.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe Token: SeRestorePrivilege 4848 TiWorker.exe Token: SeSecurityPrivilege 4848 TiWorker.exe Token: SeBackupPrivilege 4848 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.execmd.exedescription pid process target process PID 2516 wrote to memory of 4288 2516 1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exe MediaCenter.exe PID 2516 wrote to memory of 4288 2516 1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exe MediaCenter.exe PID 2516 wrote to memory of 4288 2516 1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exe MediaCenter.exe PID 2516 wrote to memory of 3504 2516 1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exe cmd.exe PID 2516 wrote to memory of 3504 2516 1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exe cmd.exe PID 2516 wrote to memory of 3504 2516 1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exe cmd.exe PID 3504 wrote to memory of 1232 3504 cmd.exe PING.EXE PID 3504 wrote to memory of 1232 3504 cmd.exe PING.EXE PID 3504 wrote to memory of 1232 3504 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exe"C:\Users\Admin\AppData\Local\Temp\1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1900d9dd06550dbc660352dd3b612fffc0b8e416ac6ff6efb8e63290e11bddf6.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4848
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5e8a86326f70cc072eb4a3fba2987a29
SHA1b28a4c6f7a331f11e621265dd791d5f5f53b5b3f
SHA25608f48002c68779f6b75dec01e662b3fa95199f5f093f426697a03598a8c1c7a6
SHA512c87e1fcb861b35371973cb462fdffe1e10df2422eac8256892454e0b2c57b65248ad2adfa1b4119f7da82007648823dec94a8faee212121066db87077c8702d1
-
MD5
5e8a86326f70cc072eb4a3fba2987a29
SHA1b28a4c6f7a331f11e621265dd791d5f5f53b5b3f
SHA25608f48002c68779f6b75dec01e662b3fa95199f5f093f426697a03598a8c1c7a6
SHA512c87e1fcb861b35371973cb462fdffe1e10df2422eac8256892454e0b2c57b65248ad2adfa1b4119f7da82007648823dec94a8faee212121066db87077c8702d1