Analysis
-
max time kernel
124s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:37
Static task
static1
Behavioral task
behavioral1
Sample
1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe
Resource
win10v2004-en-20220113
General
-
Target
1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe
-
Size
101KB
-
MD5
024c626e5df65414d0f31ffe2f25c32e
-
SHA1
c8383707734fa47ec179d8568b9bfb0091934326
-
SHA256
1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f
-
SHA512
ab1fc3e9bb8c7d95d0f5f43cf561400f8b0388e393d2d871d115b3c3742d55f8658ae9829b67d24510a47e23931dc3f9f2bde12d2e926b29b93d9d9296d73aed
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4640 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exedescription pid process Token: SeShutdownPrivilege 1104 svchost.exe Token: SeCreatePagefilePrivilege 1104 svchost.exe Token: SeShutdownPrivilege 1104 svchost.exe Token: SeCreatePagefilePrivilege 1104 svchost.exe Token: SeShutdownPrivilege 1104 svchost.exe Token: SeCreatePagefilePrivilege 1104 svchost.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeIncBasePriorityPrivilege 4676 1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe Token: SeBackupPrivilege 3328 TiWorker.exe Token: SeRestorePrivilege 3328 TiWorker.exe Token: SeSecurityPrivilege 3328 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.execmd.exedescription pid process target process PID 4676 wrote to memory of 4640 4676 1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe MediaCenter.exe PID 4676 wrote to memory of 4640 4676 1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe MediaCenter.exe PID 4676 wrote to memory of 4640 4676 1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe MediaCenter.exe PID 4676 wrote to memory of 2448 4676 1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe cmd.exe PID 4676 wrote to memory of 2448 4676 1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe cmd.exe PID 4676 wrote to memory of 2448 4676 1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe cmd.exe PID 2448 wrote to memory of 1492 2448 cmd.exe PING.EXE PID 2448 wrote to memory of 1492 2448 cmd.exe PING.EXE PID 2448 wrote to memory of 1492 2448 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe"C:\Users\Admin\AppData\Local\Temp\1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1504cf6eeea5774d37d091a570bdb654f7ae0dcbf5c12ece612cb0f80eed749f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6f34c619d4623bcfefdec0b31f9db4db
SHA1d32b5b99fa6e1397edcbd984feb751d6cef87b45
SHA2566448a99cfa45f7e5dd9765dfd414611e4e071a05f34b810a7b49a67fd9814301
SHA5120e466fda99c6b0469873d656b4e847c6919e2d26db17f7aded1a5308a859fd2f0503a732fef61c0f5bf2017883751f8649994821895b9d71a4c854f54013e3c3
-
MD5
6f34c619d4623bcfefdec0b31f9db4db
SHA1d32b5b99fa6e1397edcbd984feb751d6cef87b45
SHA2566448a99cfa45f7e5dd9765dfd414611e4e071a05f34b810a7b49a67fd9814301
SHA5120e466fda99c6b0469873d656b4e847c6919e2d26db17f7aded1a5308a859fd2f0503a732fef61c0f5bf2017883751f8649994821895b9d71a4c854f54013e3c3