Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:25
Static task
static1
Behavioral task
behavioral1
Sample
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe
Resource
win10v2004-en-20220113
General
-
Target
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe
-
Size
92KB
-
MD5
37bf445c001e566c0d89e0bb5b60bae5
-
SHA1
f1aed4e1afb8cfec2cf3f856e48613fccde3c4a0
-
SHA256
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c
-
SHA512
1a1a87b2ddd78db27e1edf285bd4d7046ec07b3aa34dac3c0cba72b25ca193698c3081897d7162565261de43dc0b65e40b972f9a4123aca4c33f50902dfa2613
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3668 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4356 svchost.exe Token: SeCreatePagefilePrivilege 4356 svchost.exe Token: SeShutdownPrivilege 4356 svchost.exe Token: SeCreatePagefilePrivilege 4356 svchost.exe Token: SeShutdownPrivilege 4356 svchost.exe Token: SeCreatePagefilePrivilege 4356 svchost.exe Token: SeIncBasePriorityPrivilege 4688 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe Token: SeBackupPrivilege 2256 TiWorker.exe Token: SeRestorePrivilege 2256 TiWorker.exe Token: SeSecurityPrivilege 2256 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.execmd.exedescription pid process target process PID 4688 wrote to memory of 3668 4688 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe MediaCenter.exe PID 4688 wrote to memory of 3668 4688 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe MediaCenter.exe PID 4688 wrote to memory of 3668 4688 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe MediaCenter.exe PID 4688 wrote to memory of 4944 4688 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe cmd.exe PID 4688 wrote to memory of 4944 4688 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe cmd.exe PID 4688 wrote to memory of 4944 4688 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe cmd.exe PID 4944 wrote to memory of 3744 4944 cmd.exe PING.EXE PID 4944 wrote to memory of 3744 4944 cmd.exe PING.EXE PID 4944 wrote to memory of 3744 4944 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe"C:\Users\Admin\AppData\Local\Temp\1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2256
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
49800e179b750c9e41078821d332d2d3
SHA14b3ef5ae1833a014748ab2b8838ab5de9a4798f1
SHA256c5e205fd943e3e5da5b43b3987193f7ca9f6808e9df6f945200b6ac5437f2548
SHA5125720f88bf5ab59d9ec33396248d4fbd3fcf9e2d4d45ef0a1c6c12907237b1b2d7b307d9323cdfbb42e0cafc0d0257a6243b66b9bb00a3e042f19a32116d8f449
-
MD5
49800e179b750c9e41078821d332d2d3
SHA14b3ef5ae1833a014748ab2b8838ab5de9a4798f1
SHA256c5e205fd943e3e5da5b43b3987193f7ca9f6808e9df6f945200b6ac5437f2548
SHA5125720f88bf5ab59d9ec33396248d4fbd3fcf9e2d4d45ef0a1c6c12907237b1b2d7b307d9323cdfbb42e0cafc0d0257a6243b66b9bb00a3e042f19a32116d8f449