Analysis
-
max time kernel
128s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:09
Static task
static1
Behavioral task
behavioral1
Sample
15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe
Resource
win10v2004-en-20220113
General
-
Target
15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe
-
Size
192KB
-
MD5
5e40acad61cccb1d622a7c994c2c8878
-
SHA1
79ad9b0d3df23e1f14c68e85d861b21681254d8b
-
SHA256
15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885
-
SHA512
dccee79088c3c8934113d3a822cb4030bbf89dc8990a8bd2551870edecf788959f33269f47d280ee4bfa1055ef93686a774e095dd647b9da57d228f00829fa36
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4628 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exedescription pid process Token: SeShutdownPrivilege 5056 svchost.exe Token: SeCreatePagefilePrivilege 5056 svchost.exe Token: SeShutdownPrivilege 5056 svchost.exe Token: SeCreatePagefilePrivilege 5056 svchost.exe Token: SeShutdownPrivilege 5056 svchost.exe Token: SeCreatePagefilePrivilege 5056 svchost.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeIncBasePriorityPrivilege 3748 15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe Token: SeBackupPrivilege 2120 TiWorker.exe Token: SeRestorePrivilege 2120 TiWorker.exe Token: SeSecurityPrivilege 2120 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.execmd.exedescription pid process target process PID 3748 wrote to memory of 4628 3748 15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe MediaCenter.exe PID 3748 wrote to memory of 4628 3748 15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe MediaCenter.exe PID 3748 wrote to memory of 4628 3748 15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe MediaCenter.exe PID 3748 wrote to memory of 1948 3748 15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe cmd.exe PID 3748 wrote to memory of 1948 3748 15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe cmd.exe PID 3748 wrote to memory of 1948 3748 15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe cmd.exe PID 1948 wrote to memory of 1628 1948 cmd.exe PING.EXE PID 1948 wrote to memory of 1628 1948 cmd.exe PING.EXE PID 1948 wrote to memory of 1628 1948 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe"C:\Users\Admin\AppData\Local\Temp\15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15e964caa06b8500ae758f9a2629f7522d929aa04bb2050d20514029ea632885.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
04575abc8e79312550dd6c4e4236ee5b
SHA197213e7f4260e05d541634e0034a75210060093e
SHA2569c19c4a49f8d75c1d3126b2cd0b5c779be45b67c8881603e960b20f599178e9b
SHA5120a6307050c6dc956638583f10addd06bee8a840961e87ce6318ab1955c6144152b30446318e9d4a0cf168cb4e351b5708e02c0e382b9bd89f2dd29f6e0c4a0a5
-
MD5
04575abc8e79312550dd6c4e4236ee5b
SHA197213e7f4260e05d541634e0034a75210060093e
SHA2569c19c4a49f8d75c1d3126b2cd0b5c779be45b67c8881603e960b20f599178e9b
SHA5120a6307050c6dc956638583f10addd06bee8a840961e87ce6318ab1955c6144152b30446318e9d4a0cf168cb4e351b5708e02c0e382b9bd89f2dd29f6e0c4a0a5