Analysis
-
max time kernel
153s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:29
Static task
static1
Behavioral task
behavioral1
Sample
12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe
Resource
win10v2004-en-20220113
General
-
Target
12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe
-
Size
100KB
-
MD5
c8a1370c1c2fb5d4e7a4ac500cf35351
-
SHA1
a19e58cb878cfd1d94886f92962449446aff1aa4
-
SHA256
12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c
-
SHA512
8344c6e859f3e7a28416c08359001b3ec8577dbcb09d03c6c79de880914585d0d300db43e2e24791fd104c9bb24ddcf08002a941b1fe9cd3bbaa562d062a9967
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3124 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exedescription pid process Token: SeShutdownPrivilege 428 svchost.exe Token: SeCreatePagefilePrivilege 428 svchost.exe Token: SeShutdownPrivilege 428 svchost.exe Token: SeCreatePagefilePrivilege 428 svchost.exe Token: SeShutdownPrivilege 428 svchost.exe Token: SeCreatePagefilePrivilege 428 svchost.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeIncBasePriorityPrivilege 2512 12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe Token: SeBackupPrivilege 732 TiWorker.exe Token: SeRestorePrivilege 732 TiWorker.exe Token: SeSecurityPrivilege 732 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.execmd.exedescription pid process target process PID 2512 wrote to memory of 3124 2512 12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe MediaCenter.exe PID 2512 wrote to memory of 3124 2512 12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe MediaCenter.exe PID 2512 wrote to memory of 3124 2512 12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe MediaCenter.exe PID 2512 wrote to memory of 1324 2512 12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe cmd.exe PID 2512 wrote to memory of 1324 2512 12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe cmd.exe PID 2512 wrote to memory of 1324 2512 12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe cmd.exe PID 1324 wrote to memory of 704 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 704 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 704 1324 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe"C:\Users\Admin\AppData\Local\Temp\12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12a19f80b7c054cbfd239f4dd6d21bfcbdea7f02fbe238ffe6d4044de016eb2c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:428
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:732
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9cf83ccd288e0be42a98e39cf2c208cd
SHA149318c0669ba830fe1c09f82c608260466fc6fbb
SHA256fcfca77842bac70a297faac781f6256eb55ae7c126e9731cb687f6168a950f63
SHA51279bdc58d5643fd3b2c64961a44728f9a73defe3ccc49b4d010035c2f6d3add68f601f1a0e7225bf6415b02723437a6d1ce06a38f7df610803c47da0b021b2ffa
-
MD5
9cf83ccd288e0be42a98e39cf2c208cd
SHA149318c0669ba830fe1c09f82c608260466fc6fbb
SHA256fcfca77842bac70a297faac781f6256eb55ae7c126e9731cb687f6168a950f63
SHA51279bdc58d5643fd3b2c64961a44728f9a73defe3ccc49b4d010035c2f6d3add68f601f1a0e7225bf6415b02723437a6d1ce06a38f7df610803c47da0b021b2ffa