Analysis
-
max time kernel
166s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:39
Static task
static1
Behavioral task
behavioral1
Sample
14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe
Resource
win10v2004-en-20220113
General
-
Target
14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe
-
Size
216KB
-
MD5
2392011c55f80522ae12fa0e8d9c394b
-
SHA1
2e3a60ecbd8c681cea73e8ed8aa839029f3e4125
-
SHA256
14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21
-
SHA512
578dbf7dc57ec2a2a757910acdc9d7ca02c6b39d98f40e1014f2b09cfceb2a68d79491524ca087ef0a8625be283d44c72288d85443738c7ee42da1fff46de422
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4040-138-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/2352-139-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2352 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 440 svchost.exe Token: SeCreatePagefilePrivilege 440 svchost.exe Token: SeShutdownPrivilege 440 svchost.exe Token: SeCreatePagefilePrivilege 440 svchost.exe Token: SeShutdownPrivilege 440 svchost.exe Token: SeCreatePagefilePrivilege 440 svchost.exe Token: SeIncBasePriorityPrivilege 4040 14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.execmd.exedescription pid process target process PID 4040 wrote to memory of 2352 4040 14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe MediaCenter.exe PID 4040 wrote to memory of 2352 4040 14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe MediaCenter.exe PID 4040 wrote to memory of 2352 4040 14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe MediaCenter.exe PID 4040 wrote to memory of 3952 4040 14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe cmd.exe PID 4040 wrote to memory of 3952 4040 14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe cmd.exe PID 4040 wrote to memory of 3952 4040 14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe cmd.exe PID 3952 wrote to memory of 1904 3952 cmd.exe PING.EXE PID 3952 wrote to memory of 1904 3952 cmd.exe PING.EXE PID 3952 wrote to memory of 1904 3952 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe"C:\Users\Admin\AppData\Local\Temp\14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14e5909b2824e58f07c4700b4e60ddcdbd9fd36de8c6536f2fd1347783cf4f21.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:440
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
53be1d95eb29d73fcdd80107b7077a25
SHA16bcf604649c770676025ca2ecdefc73f38fdceb4
SHA256ab840d4542108c2d64f75f22f5a127c3e06fda40038e581f750c4f1bc5dd3d80
SHA51299736a3c636f14fee497ad8a223ae768961d45eec4cd916cf35743a94a6062990053b1cb2f50d05cccffcbacfdd397fa862c63dd7d0fa4734f2e97e1f922233c
-
MD5
53be1d95eb29d73fcdd80107b7077a25
SHA16bcf604649c770676025ca2ecdefc73f38fdceb4
SHA256ab840d4542108c2d64f75f22f5a127c3e06fda40038e581f750c4f1bc5dd3d80
SHA51299736a3c636f14fee497ad8a223ae768961d45eec4cd916cf35743a94a6062990053b1cb2f50d05cccffcbacfdd397fa862c63dd7d0fa4734f2e97e1f922233c