Analysis
-
max time kernel
147s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:33
Static task
static1
Behavioral task
behavioral1
Sample
12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe
Resource
win10v2004-en-20220113
General
-
Target
12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe
-
Size
79KB
-
MD5
b9bb07e6c13c934bda129898ad893c5f
-
SHA1
0c0753f7608b7692a1de7449310c85c630aa488e
-
SHA256
12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358
-
SHA512
42e791163c59835beaf0da3af6d7503ed53b89d874014096746b1400a1709cc7ace810934d6f0e457a090d4741ebf5da91804125d62cd8925d963a04818be10e
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1440 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4868 svchost.exe Token: SeCreatePagefilePrivilege 4868 svchost.exe Token: SeShutdownPrivilege 4868 svchost.exe Token: SeCreatePagefilePrivilege 4868 svchost.exe Token: SeShutdownPrivilege 4868 svchost.exe Token: SeCreatePagefilePrivilege 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4688 12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe Token: SeBackupPrivilege 2724 TiWorker.exe Token: SeRestorePrivilege 2724 TiWorker.exe Token: SeSecurityPrivilege 2724 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.execmd.exedescription pid process target process PID 4688 wrote to memory of 1440 4688 12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe MediaCenter.exe PID 4688 wrote to memory of 1440 4688 12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe MediaCenter.exe PID 4688 wrote to memory of 1440 4688 12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe MediaCenter.exe PID 4688 wrote to memory of 4644 4688 12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe cmd.exe PID 4688 wrote to memory of 4644 4688 12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe cmd.exe PID 4688 wrote to memory of 4644 4688 12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe cmd.exe PID 4644 wrote to memory of 2820 4644 cmd.exe PING.EXE PID 4644 wrote to memory of 2820 4644 cmd.exe PING.EXE PID 4644 wrote to memory of 2820 4644 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe"C:\Users\Admin\AppData\Local\Temp\12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12649cd157549fad27304cd9efaeed7eb380bcf27e4fed39d40774da8052b358.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2820
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
193bbbf35185fd02588797cd0c040446
SHA1b459a588bb73a98643a09159b77a1d0af60b0343
SHA25693e15940da89ee27fc986f4e62815dca4bf9ea194957aa4dff39dbcb188eb9f2
SHA512a36e15697bfa03b18549aff6bb97555ef66c8163dac57dd8b5fcabf4acd996452e97eb315ce0bcbe0f2a9fc74345a326e038334f771cdb4c81618bc7e745ba56
-
MD5
193bbbf35185fd02588797cd0c040446
SHA1b459a588bb73a98643a09159b77a1d0af60b0343
SHA25693e15940da89ee27fc986f4e62815dca4bf9ea194957aa4dff39dbcb188eb9f2
SHA512a36e15697bfa03b18549aff6bb97555ef66c8163dac57dd8b5fcabf4acd996452e97eb315ce0bcbe0f2a9fc74345a326e038334f771cdb4c81618bc7e745ba56