Analysis
-
max time kernel
135s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:38
Static task
static1
Behavioral task
behavioral1
Sample
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe
Resource
win10v2004-en-20220113
General
-
Target
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe
-
Size
80KB
-
MD5
c0d47c2a5429038de9451d5889273865
-
SHA1
57c45960d162a747a1832acede69a995dc71a43a
-
SHA256
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70
-
SHA512
de88995e06486cea8cca5655f03c4a58146f12c532ce5de650ad1beb722217f3b77555be50887d8ee0f07f98a324c474b5cb0f86443b82dcab109f7410d1fece
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3508 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4696 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe Token: SeShutdownPrivilege 4516 svchost.exe Token: SeCreatePagefilePrivilege 4516 svchost.exe Token: SeShutdownPrivilege 4516 svchost.exe Token: SeCreatePagefilePrivilege 4516 svchost.exe Token: SeShutdownPrivilege 4516 svchost.exe Token: SeCreatePagefilePrivilege 4516 svchost.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.execmd.exedescription pid process target process PID 4696 wrote to memory of 3508 4696 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe MediaCenter.exe PID 4696 wrote to memory of 3508 4696 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe MediaCenter.exe PID 4696 wrote to memory of 3508 4696 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe MediaCenter.exe PID 4696 wrote to memory of 1848 4696 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe cmd.exe PID 4696 wrote to memory of 1848 4696 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe cmd.exe PID 4696 wrote to memory of 1848 4696 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe cmd.exe PID 1848 wrote to memory of 960 1848 cmd.exe PING.EXE PID 1848 wrote to memory of 960 1848 cmd.exe PING.EXE PID 1848 wrote to memory of 960 1848 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe"C:\Users\Admin\AppData\Local\Temp\14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0b5610e280e2b1ce4efb8a501a4b64c4
SHA1b979aae8a7c7ee50aba4ec28e2a417ce1de921ba
SHA25602a99b0c295d3d96210b2cd94111e8c4d8c6da4ce39b29dfda8a822bfbf60163
SHA5122b62abcb371fc17a637d4990742f4f1775885baf113f862880bfaf774097441fd0a0a6e13becadc7d0e62e1f9648637168f32485319065878e03b437e2cbda6f
-
MD5
0b5610e280e2b1ce4efb8a501a4b64c4
SHA1b979aae8a7c7ee50aba4ec28e2a417ce1de921ba
SHA25602a99b0c295d3d96210b2cd94111e8c4d8c6da4ce39b29dfda8a822bfbf60163
SHA5122b62abcb371fc17a637d4990742f4f1775885baf113f862880bfaf774097441fd0a0a6e13becadc7d0e62e1f9648637168f32485319065878e03b437e2cbda6f