Analysis
-
max time kernel
156s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:11
Static task
static1
Behavioral task
behavioral1
Sample
15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe
Resource
win10v2004-en-20220113
General
-
Target
15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe
-
Size
101KB
-
MD5
92617fadaf25a2f9a663b7a4838afd42
-
SHA1
ece90ed7e1050f08569b6f9281919e23834cf54c
-
SHA256
15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3
-
SHA512
8381e09d040cc80049734d654f51cf16470ef11ad262c55415975f25d9dd7732aa40e4b39caaaaecff6c7dd92350ca56a3ab86e1c2573d9a6d7511b7b0a099c2
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1336 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2884 svchost.exe Token: SeCreatePagefilePrivilege 2884 svchost.exe Token: SeShutdownPrivilege 2884 svchost.exe Token: SeCreatePagefilePrivilege 2884 svchost.exe Token: SeShutdownPrivilege 2884 svchost.exe Token: SeCreatePagefilePrivilege 2884 svchost.exe Token: SeIncBasePriorityPrivilege 3124 15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe Token: SeBackupPrivilege 760 TiWorker.exe Token: SeRestorePrivilege 760 TiWorker.exe Token: SeSecurityPrivilege 760 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.execmd.exedescription pid process target process PID 3124 wrote to memory of 1336 3124 15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe MediaCenter.exe PID 3124 wrote to memory of 1336 3124 15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe MediaCenter.exe PID 3124 wrote to memory of 1336 3124 15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe MediaCenter.exe PID 3124 wrote to memory of 1596 3124 15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe cmd.exe PID 3124 wrote to memory of 1596 3124 15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe cmd.exe PID 3124 wrote to memory of 1596 3124 15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe cmd.exe PID 1596 wrote to memory of 2276 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 2276 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 2276 1596 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe"C:\Users\Admin\AppData\Local\Temp\15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15dcf8688a05bba2c2d0be69917ca1158759d517f55e64f03bc24636b3ebf6c3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9f97540977cba66eb7c5f2109827ab28
SHA11a6cbbfcaf49d1294197f16df7fd5565e35e13e3
SHA256f72bb18a5988449021ae309819919eb30f3d606debed0fd2fa6c9b902a647b5e
SHA5129447369a423290c2f45a100116cfaab980159ad2e98c755fbdc1593d633e2cdbd03acd6b4336e55f5b0f6bcae6086f4fe6927f0b43ef368ef00dc870c1794833
-
MD5
9f97540977cba66eb7c5f2109827ab28
SHA11a6cbbfcaf49d1294197f16df7fd5565e35e13e3
SHA256f72bb18a5988449021ae309819919eb30f3d606debed0fd2fa6c9b902a647b5e
SHA5129447369a423290c2f45a100116cfaab980159ad2e98c755fbdc1593d633e2cdbd03acd6b4336e55f5b0f6bcae6086f4fe6927f0b43ef368ef00dc870c1794833