Analysis
-
max time kernel
129s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:59
Static task
static1
Behavioral task
behavioral1
Sample
18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exe
Resource
win10v2004-en-20220113
General
-
Target
18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exe
-
Size
144KB
-
MD5
eff50bacf4fc4e10dfdb3db516662b38
-
SHA1
4da2ba9f6065313d8bdecbbd8773c8b999c578ba
-
SHA256
18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b
-
SHA512
c109afecf855905f091e8a76cb30ed020769b35fd41c6aab023bec1bb2d3b29cce37e4deea5262ea9f217e7be009d11015389b5215d604d088aaca001baf881a
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3128 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3012 svchost.exe Token: SeCreatePagefilePrivilege 3012 svchost.exe Token: SeShutdownPrivilege 3012 svchost.exe Token: SeCreatePagefilePrivilege 3012 svchost.exe Token: SeShutdownPrivilege 3012 svchost.exe Token: SeCreatePagefilePrivilege 3012 svchost.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe Token: SeRestorePrivilege 3132 TiWorker.exe Token: SeSecurityPrivilege 3132 TiWorker.exe Token: SeBackupPrivilege 3132 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.execmd.exedescription pid process target process PID 3284 wrote to memory of 3128 3284 18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exe MediaCenter.exe PID 3284 wrote to memory of 3128 3284 18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exe MediaCenter.exe PID 3284 wrote to memory of 3128 3284 18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exe MediaCenter.exe PID 3284 wrote to memory of 3752 3284 18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exe cmd.exe PID 3284 wrote to memory of 3752 3284 18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exe cmd.exe PID 3284 wrote to memory of 3752 3284 18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exe cmd.exe PID 3752 wrote to memory of 3096 3752 cmd.exe PING.EXE PID 3752 wrote to memory of 3096 3752 cmd.exe PING.EXE PID 3752 wrote to memory of 3096 3752 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exe"C:\Users\Admin\AppData\Local\Temp\18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18e00d44305af665919ec105dacd3441d988a26a9800c48a956697e6b58dda5b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3132
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
22e8076446f24b8cad50490e04629bfa
SHA1d4f1578120720b6b90e19124162c15ccbdbee7d1
SHA256d4e60f33c65419067519058be592f6751f0ee80bab7b4163723773c76cdf019e
SHA5128e06a4be2948221a2f2f1ada19c20a8c13033d380ec32dcf985c26aaf55dc979fca6fa3e2f212aefca91118be4dd55c6306d97acb3c6d179c664ebfaca3e0888
-
MD5
22e8076446f24b8cad50490e04629bfa
SHA1d4f1578120720b6b90e19124162c15ccbdbee7d1
SHA256d4e60f33c65419067519058be592f6751f0ee80bab7b4163723773c76cdf019e
SHA5128e06a4be2948221a2f2f1ada19c20a8c13033d380ec32dcf985c26aaf55dc979fca6fa3e2f212aefca91118be4dd55c6306d97acb3c6d179c664ebfaca3e0888