Analysis
-
max time kernel
151s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:06
Static task
static1
Behavioral task
behavioral1
Sample
1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe
Resource
win10v2004-en-20220113
General
-
Target
1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe
-
Size
80KB
-
MD5
4f58215601786f25c397182979c1066c
-
SHA1
dba61b541a0a646401daaad2b4f2a96eb820dc68
-
SHA256
1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5
-
SHA512
73dd9d46f8a0a86669c164b0bed728af8ab51649abcdc54c758e266a8668bf25e6519e70120e55e31487e531318aa09c2b68b7d8337016414a300c481340ba9f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1644 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2724 svchost.exe Token: SeCreatePagefilePrivilege 2724 svchost.exe Token: SeShutdownPrivilege 2724 svchost.exe Token: SeCreatePagefilePrivilege 2724 svchost.exe Token: SeShutdownPrivilege 2724 svchost.exe Token: SeCreatePagefilePrivilege 2724 svchost.exe Token: SeIncBasePriorityPrivilege 1132 1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe Token: SeBackupPrivilege 4284 TiWorker.exe Token: SeRestorePrivilege 4284 TiWorker.exe Token: SeSecurityPrivilege 4284 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.execmd.exedescription pid process target process PID 1132 wrote to memory of 1644 1132 1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe MediaCenter.exe PID 1132 wrote to memory of 1644 1132 1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe MediaCenter.exe PID 1132 wrote to memory of 1644 1132 1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe MediaCenter.exe PID 1132 wrote to memory of 2328 1132 1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe cmd.exe PID 1132 wrote to memory of 2328 1132 1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe cmd.exe PID 1132 wrote to memory of 2328 1132 1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe cmd.exe PID 2328 wrote to memory of 376 2328 cmd.exe PING.EXE PID 2328 wrote to memory of 376 2328 cmd.exe PING.EXE PID 2328 wrote to memory of 376 2328 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe"C:\Users\Admin\AppData\Local\Temp\1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1609a12c61711d4d66715925f584bde27946ece3d5c92bb4b420c1e2e08820a5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4284
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b67970145138507c7f361d81172e7631
SHA1616dc186ab0bcc52188b97b29bcf9bd935f497f2
SHA256cb8aae1de50b2c23d91ccbe845127a86f583b579f382a0a82357c89a3edbf339
SHA512f0ecacb9ebc6b3831b50681a199e8e743ca44107678e15af0bfc86fd8746052df76d34967f98ef2ebc1c0b76957f3595d9ca60a637ad6eaaeeecabda4ef9d74e
-
MD5
b67970145138507c7f361d81172e7631
SHA1616dc186ab0bcc52188b97b29bcf9bd935f497f2
SHA256cb8aae1de50b2c23d91ccbe845127a86f583b579f382a0a82357c89a3edbf339
SHA512f0ecacb9ebc6b3831b50681a199e8e743ca44107678e15af0bfc86fd8746052df76d34967f98ef2ebc1c0b76957f3595d9ca60a637ad6eaaeeecabda4ef9d74e