Analysis
-
max time kernel
135s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:59
Static task
static1
Behavioral task
behavioral1
Sample
18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe
Resource
win10v2004-en-20220113
General
-
Target
18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe
-
Size
89KB
-
MD5
85281b01813f361d2d6a6d8469e1873c
-
SHA1
56d453254a06915adaf1c46e96b80e4312d9e0ac
-
SHA256
18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b
-
SHA512
a8983a6fc36e56123bc19e780bdbf4e539935cecbae040768d2dd61fd3d2025e2a7e9d5014c50850a064ab95464e6bfce018042c0a41079a063c9a2b973a3066
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4600 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2984 svchost.exe Token: SeCreatePagefilePrivilege 2984 svchost.exe Token: SeShutdownPrivilege 2984 svchost.exe Token: SeCreatePagefilePrivilege 2984 svchost.exe Token: SeShutdownPrivilege 2984 svchost.exe Token: SeCreatePagefilePrivilege 2984 svchost.exe Token: SeIncBasePriorityPrivilege 2748 18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.execmd.exedescription pid process target process PID 2748 wrote to memory of 4600 2748 18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe MediaCenter.exe PID 2748 wrote to memory of 4600 2748 18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe MediaCenter.exe PID 2748 wrote to memory of 4600 2748 18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe MediaCenter.exe PID 2748 wrote to memory of 4416 2748 18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe cmd.exe PID 2748 wrote to memory of 4416 2748 18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe cmd.exe PID 2748 wrote to memory of 4416 2748 18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe cmd.exe PID 4416 wrote to memory of 2224 4416 cmd.exe PING.EXE PID 4416 wrote to memory of 2224 4416 cmd.exe PING.EXE PID 4416 wrote to memory of 2224 4416 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe"C:\Users\Admin\AppData\Local\Temp\18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18dedbfaf0329b7e564e97a6cf40efa15ed1bf66bd765b0f26e5f45af623eb7b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2224
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3624
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a99bfcc1abd11eebe166dcb5dc37a905
SHA1e21efcc21c57755260ab6c27d94bc2ee4889780b
SHA2568c5d7b08440eb32408b50630123d1686a99313b9cb2707bc5dd3f3d09926305d
SHA512f6c6ea4f9777586e2c277a03dcf9ae1b868bcf72e13b9a3da94a06c035aa62f8cfafb9cdfe42d9f30718bca662e9357f532ac78f90952aa91314bc4551d7afde
-
MD5
a99bfcc1abd11eebe166dcb5dc37a905
SHA1e21efcc21c57755260ab6c27d94bc2ee4889780b
SHA2568c5d7b08440eb32408b50630123d1686a99313b9cb2707bc5dd3f3d09926305d
SHA512f6c6ea4f9777586e2c277a03dcf9ae1b868bcf72e13b9a3da94a06c035aa62f8cfafb9cdfe42d9f30718bca662e9357f532ac78f90952aa91314bc4551d7afde