Analysis
-
max time kernel
135s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:42
Static task
static1
Behavioral task
behavioral1
Sample
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe
Resource
win10v2004-en-20220113
General
-
Target
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe
-
Size
89KB
-
MD5
0f97508957cc5f0397e25c39657145ee
-
SHA1
90fde6621f25c5915adadfe888a8d061b33e7367
-
SHA256
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b
-
SHA512
ffdd5141f6347b40f3c5628c37b635a46ad2144ecb51e829ce1ba196a8ddfd73ab615270d5017780b3dad92748e9adf9f1b0c788dc3760ec0d24f94c23caf82c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1156 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4020 svchost.exe Token: SeCreatePagefilePrivilege 4020 svchost.exe Token: SeShutdownPrivilege 4020 svchost.exe Token: SeCreatePagefilePrivilege 4020 svchost.exe Token: SeShutdownPrivilege 4020 svchost.exe Token: SeCreatePagefilePrivilege 4020 svchost.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe Token: SeRestorePrivilege 3568 TiWorker.exe Token: SeSecurityPrivilege 3568 TiWorker.exe Token: SeBackupPrivilege 3568 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.execmd.exedescription pid process target process PID 4284 wrote to memory of 1156 4284 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe MediaCenter.exe PID 4284 wrote to memory of 1156 4284 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe MediaCenter.exe PID 4284 wrote to memory of 1156 4284 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe MediaCenter.exe PID 4284 wrote to memory of 1112 4284 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe cmd.exe PID 4284 wrote to memory of 1112 4284 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe cmd.exe PID 4284 wrote to memory of 1112 4284 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe cmd.exe PID 1112 wrote to memory of 1796 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 1796 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 1796 1112 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe"C:\Users\Admin\AppData\Local\Temp\14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
84d45e8f2f57b0f04d0fb3ae1213a3d3
SHA1b9f0ef31de0afc3163d1b4493b2f09b9ddea0256
SHA25695b02e2cc2944bc754d10fcd4e5e71c563338a2b4f0132453a4659561430efb3
SHA5129fe70456ca33f5c1ae67ac87f5c1156ca4ec0d89a00578ade0d500a1a8dfebb3cd5baa53dc98bdd75754ec2d0fd4f8c57ef94d3a42684786dfd4a198d9dfa10c
-
MD5
84d45e8f2f57b0f04d0fb3ae1213a3d3
SHA1b9f0ef31de0afc3163d1b4493b2f09b9ddea0256
SHA25695b02e2cc2944bc754d10fcd4e5e71c563338a2b4f0132453a4659561430efb3
SHA5129fe70456ca33f5c1ae67ac87f5c1156ca4ec0d89a00578ade0d500a1a8dfebb3cd5baa53dc98bdd75754ec2d0fd4f8c57ef94d3a42684786dfd4a198d9dfa10c