Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:27
Static task
static1
Behavioral task
behavioral1
Sample
15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exe
Resource
win10v2004-en-20220113
General
-
Target
15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exe
-
Size
192KB
-
MD5
15a746274347c9206bb65e06b48752fc
-
SHA1
d07627739b7b472d525cb0fc39380268d0e5fedc
-
SHA256
15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd
-
SHA512
9b7b39f862fe1fad925dcca6b849d86ea1a879db1a5e09d8ce5f74e3d375f160c1989d2ae90e45168ecee33ccb9a55179a19bdac705893292bc32ff04481ae03
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4172 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4548 svchost.exe Token: SeCreatePagefilePrivilege 4548 svchost.exe Token: SeShutdownPrivilege 4548 svchost.exe Token: SeCreatePagefilePrivilege 4548 svchost.exe Token: SeShutdownPrivilege 4548 svchost.exe Token: SeCreatePagefilePrivilege 4548 svchost.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe Token: SeRestorePrivilege 4536 TiWorker.exe Token: SeSecurityPrivilege 4536 TiWorker.exe Token: SeBackupPrivilege 4536 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.execmd.exedescription pid process target process PID 3680 wrote to memory of 4172 3680 15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exe MediaCenter.exe PID 3680 wrote to memory of 4172 3680 15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exe MediaCenter.exe PID 3680 wrote to memory of 4172 3680 15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exe MediaCenter.exe PID 3680 wrote to memory of 2296 3680 15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exe cmd.exe PID 3680 wrote to memory of 2296 3680 15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exe cmd.exe PID 3680 wrote to memory of 2296 3680 15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exe cmd.exe PID 2296 wrote to memory of 3844 2296 cmd.exe PING.EXE PID 2296 wrote to memory of 3844 2296 cmd.exe PING.EXE PID 2296 wrote to memory of 3844 2296 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exe"C:\Users\Admin\AppData\Local\Temp\15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15401b01b2828ec22a5ba1c7369b9a8011f712c3381a41f89a5091c0457f09bd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
66df33891b6f175bccb7288f3cbaea8b
SHA1075bed7ed4f57e4e10dbb3a30d9538a231a7b708
SHA2566d33c8e36086653c39e719f1f3c7c41fbaf24d6883bb0e982394b3efeff9ccbd
SHA5124280953f55b260c6fcdfa77de2fbde6be8763d5caf6afb065318381054120ee4eaec946880bd502d79a49f91eb81e9ba210ffe98fe0bff7cb89ef7bb4a81d91a
-
MD5
66df33891b6f175bccb7288f3cbaea8b
SHA1075bed7ed4f57e4e10dbb3a30d9538a231a7b708
SHA2566d33c8e36086653c39e719f1f3c7c41fbaf24d6883bb0e982394b3efeff9ccbd
SHA5124280953f55b260c6fcdfa77de2fbde6be8763d5caf6afb065318381054120ee4eaec946880bd502d79a49f91eb81e9ba210ffe98fe0bff7cb89ef7bb4a81d91a