Analysis
-
max time kernel
129s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:55
Static task
static1
Behavioral task
behavioral1
Sample
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe
Resource
win10v2004-en-20220113
General
-
Target
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe
-
Size
79KB
-
MD5
8d0371d07a7c96cb75280a6d370ef424
-
SHA1
62cb6ef04073891ba50e051a93ce9fb36e4f97dd
-
SHA256
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f
-
SHA512
311184da8f7f7ee4cbde8498634b453a953892189357f522beb6ba9ad7acb8a43994e4602c238eb8bdb00032d1014fa1317e624fe423b2e825299d7fc6bc8954
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4872 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2296 svchost.exe Token: SeCreatePagefilePrivilege 2296 svchost.exe Token: SeShutdownPrivilege 2296 svchost.exe Token: SeCreatePagefilePrivilege 2296 svchost.exe Token: SeShutdownPrivilege 2296 svchost.exe Token: SeCreatePagefilePrivilege 2296 svchost.exe Token: SeIncBasePriorityPrivilege 3924 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe Token: SeBackupPrivilege 4976 TiWorker.exe Token: SeRestorePrivilege 4976 TiWorker.exe Token: SeSecurityPrivilege 4976 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.execmd.exedescription pid process target process PID 3924 wrote to memory of 4872 3924 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe MediaCenter.exe PID 3924 wrote to memory of 4872 3924 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe MediaCenter.exe PID 3924 wrote to memory of 4872 3924 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe MediaCenter.exe PID 3924 wrote to memory of 2880 3924 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe cmd.exe PID 3924 wrote to memory of 2880 3924 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe cmd.exe PID 3924 wrote to memory of 2880 3924 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe cmd.exe PID 2880 wrote to memory of 2108 2880 cmd.exe PING.EXE PID 2880 wrote to memory of 2108 2880 cmd.exe PING.EXE PID 2880 wrote to memory of 2108 2880 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe"C:\Users\Admin\AppData\Local\Temp\1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0b04daeab320a3f413208d3eb7b071f9
SHA1f67c8664ffee151f4c425abab1bbaf43e9255b88
SHA25681257546043f41d663e941c49aff326a1bf3955124957f61532ffa87ef8f170e
SHA5120ea01e55659c92f55b8df6cb674ba10424aedb458bcc8fe911959754f96858832516afe43a63081bdbfdae09c43a0c88612448fbb981ded4b7b214d688f213b3
-
MD5
0b04daeab320a3f413208d3eb7b071f9
SHA1f67c8664ffee151f4c425abab1bbaf43e9255b88
SHA25681257546043f41d663e941c49aff326a1bf3955124957f61532ffa87ef8f170e
SHA5120ea01e55659c92f55b8df6cb674ba10424aedb458bcc8fe911959754f96858832516afe43a63081bdbfdae09c43a0c88612448fbb981ded4b7b214d688f213b3