Analysis
-
max time kernel
137s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:35
Static task
static1
Behavioral task
behavioral1
Sample
15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe
Resource
win10v2004-en-20220113
General
-
Target
15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe
-
Size
191KB
-
MD5
7d0c23ce5ebad7279f74898ff5485ae8
-
SHA1
b2bf4decf6dda33e62d70bda8fff7e8fbd845a98
-
SHA256
15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14
-
SHA512
bf4596c5562bbbc99c9bcf11163efa7c3d2abac7e58547b21045ea1bbeafde6a72f91df100381810f3e7b67a8d085e74b141d94a4a83e8840a8d8641e1ea24ae
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3200 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1052 15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe Token: SeShutdownPrivilege 3696 svchost.exe Token: SeCreatePagefilePrivilege 3696 svchost.exe Token: SeShutdownPrivilege 3696 svchost.exe Token: SeCreatePagefilePrivilege 3696 svchost.exe Token: SeShutdownPrivilege 3696 svchost.exe Token: SeCreatePagefilePrivilege 3696 svchost.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe Token: SeBackupPrivilege 3272 TiWorker.exe Token: SeRestorePrivilege 3272 TiWorker.exe Token: SeSecurityPrivilege 3272 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.execmd.exedescription pid process target process PID 1052 wrote to memory of 3200 1052 15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe MediaCenter.exe PID 1052 wrote to memory of 3200 1052 15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe MediaCenter.exe PID 1052 wrote to memory of 3200 1052 15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe MediaCenter.exe PID 1052 wrote to memory of 320 1052 15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe cmd.exe PID 1052 wrote to memory of 320 1052 15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe cmd.exe PID 1052 wrote to memory of 320 1052 15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe cmd.exe PID 320 wrote to memory of 4848 320 cmd.exe PING.EXE PID 320 wrote to memory of 4848 320 cmd.exe PING.EXE PID 320 wrote to memory of 4848 320 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe"C:\Users\Admin\AppData\Local\Temp\15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15208792120d83ef416d4fd2a33a515fe62af6c232db7796c7aa7946cc672b14.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4a4909709ff2f65a4668c6d90e3aa57d
SHA145474706e42c0a0b779036ca851a1691030988b8
SHA2567e9baafe9eb3e7b55332de0d43420f7c3989f321186a551a35e0505b73b3030b
SHA5127d3ee731689ea313956d572090c99cbb89f84fa7709c37f197735c5ea0981fda63eab1aef4098df72db76a727004eaa30419c49ee8f5afb2f4495931b2dcaf12
-
MD5
4a4909709ff2f65a4668c6d90e3aa57d
SHA145474706e42c0a0b779036ca851a1691030988b8
SHA2567e9baafe9eb3e7b55332de0d43420f7c3989f321186a551a35e0505b73b3030b
SHA5127d3ee731689ea313956d572090c99cbb89f84fa7709c37f197735c5ea0981fda63eab1aef4098df72db76a727004eaa30419c49ee8f5afb2f4495931b2dcaf12