Analysis
-
max time kernel
151s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:03
Static task
static1
Behavioral task
behavioral1
Sample
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe
Resource
win10v2004-en-20220113
General
-
Target
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe
-
Size
192KB
-
MD5
9a1da133d53e004cc748fbb33d04998f
-
SHA1
49dd1e3e7ff1ac18829e83cc0f95f8eac2f7bbb2
-
SHA256
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc
-
SHA512
e8932e53841ef3bfeca43bbe84ee0271b17bf4dcedbd495699e4e2f2f0d490289b17eed7ea5c209119b41eff55ffc3bceed5c9ac86f4c936aa8661fb4db1e2b9
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1128 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3772 svchost.exe Token: SeCreatePagefilePrivilege 3772 svchost.exe Token: SeShutdownPrivilege 3772 svchost.exe Token: SeCreatePagefilePrivilege 3772 svchost.exe Token: SeShutdownPrivilege 3772 svchost.exe Token: SeCreatePagefilePrivilege 3772 svchost.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe Token: SeRestorePrivilege 2940 TiWorker.exe Token: SeSecurityPrivilege 2940 TiWorker.exe Token: SeBackupPrivilege 2940 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.execmd.exedescription pid process target process PID 3804 wrote to memory of 1128 3804 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe MediaCenter.exe PID 3804 wrote to memory of 1128 3804 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe MediaCenter.exe PID 3804 wrote to memory of 1128 3804 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe MediaCenter.exe PID 3804 wrote to memory of 224 3804 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe cmd.exe PID 3804 wrote to memory of 224 3804 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe cmd.exe PID 3804 wrote to memory of 224 3804 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe cmd.exe PID 224 wrote to memory of 860 224 cmd.exe PING.EXE PID 224 wrote to memory of 860 224 cmd.exe PING.EXE PID 224 wrote to memory of 860 224 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe"C:\Users\Admin\AppData\Local\Temp\18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
96747a2d684597c3582a2d918e44d9c0
SHA161911b2613945d60826d309b805906281fd01b80
SHA25690d531b1a5b5160eea4c07147ed51b8b6ad6d616f1ea062cbb332bd200c88a54
SHA5126314e87b96f6f92921dcc02dd212b71ba3e86ee3d2f2336e1fde8cd7d3716e794c62c9a265c93f986f68e16cbbbfd5bb0521cc91341c8ec8654c9688383c0023
-
MD5
96747a2d684597c3582a2d918e44d9c0
SHA161911b2613945d60826d309b805906281fd01b80
SHA25690d531b1a5b5160eea4c07147ed51b8b6ad6d616f1ea062cbb332bd200c88a54
SHA5126314e87b96f6f92921dcc02dd212b71ba3e86ee3d2f2336e1fde8cd7d3716e794c62c9a265c93f986f68e16cbbbfd5bb0521cc91341c8ec8654c9688383c0023