Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:19
Static task
static1
Behavioral task
behavioral1
Sample
1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe
Resource
win10v2004-en-20220113
General
-
Target
1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe
-
Size
99KB
-
MD5
4317a89791558850e040c349435395b6
-
SHA1
c3a55079f0aba06a3c42f54ad9b53d2e03ffaf67
-
SHA256
1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d
-
SHA512
1369aadf635a88511769caa4b406d193cd6487b97597de66d29e623404c0f74055806541d328a15ab07285fc60bf440d8f0ad9c5b900d3a6baa4a24476c378a1
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1016 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exedescription pid process Token: SeShutdownPrivilege 1972 svchost.exe Token: SeCreatePagefilePrivilege 1972 svchost.exe Token: SeShutdownPrivilege 1972 svchost.exe Token: SeCreatePagefilePrivilege 1972 svchost.exe Token: SeShutdownPrivilege 1972 svchost.exe Token: SeCreatePagefilePrivilege 1972 svchost.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeIncBasePriorityPrivilege 772 1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe Token: SeBackupPrivilege 3608 TiWorker.exe Token: SeRestorePrivilege 3608 TiWorker.exe Token: SeSecurityPrivilege 3608 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.execmd.exedescription pid process target process PID 772 wrote to memory of 1016 772 1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe MediaCenter.exe PID 772 wrote to memory of 1016 772 1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe MediaCenter.exe PID 772 wrote to memory of 1016 772 1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe MediaCenter.exe PID 772 wrote to memory of 5048 772 1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe cmd.exe PID 772 wrote to memory of 5048 772 1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe cmd.exe PID 772 wrote to memory of 5048 772 1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe cmd.exe PID 5048 wrote to memory of 2164 5048 cmd.exe PING.EXE PID 5048 wrote to memory of 2164 5048 cmd.exe PING.EXE PID 5048 wrote to memory of 2164 5048 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe"C:\Users\Admin\AppData\Local\Temp\1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1586f79f2d31e74c7a6579a3dbfc6db4ea3f68e92eb9a61be5dccf027b4bae5d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
038232e866ca78bbde470b3863af928e
SHA1f012a39c56bc041340c440366cda075d98ca560c
SHA256fee4abbacb81de53ce1e84b8643d6b63c4d6b0b9e3ce00f4b38f9d0b7aa3f77e
SHA512d07b7dcda034d2c97cf7c4efd47f23ccc03861916b84723b33d89359c93b4d87ae5b318c79078cbe70a4887d48750cf1e64929bdb4caf88dae1b3683c3997619
-
MD5
038232e866ca78bbde470b3863af928e
SHA1f012a39c56bc041340c440366cda075d98ca560c
SHA256fee4abbacb81de53ce1e84b8643d6b63c4d6b0b9e3ce00f4b38f9d0b7aa3f77e
SHA512d07b7dcda034d2c97cf7c4efd47f23ccc03861916b84723b33d89359c93b4d87ae5b318c79078cbe70a4887d48750cf1e64929bdb4caf88dae1b3683c3997619