Analysis
-
max time kernel
148s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:43
Static task
static1
Behavioral task
behavioral1
Sample
14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe
Resource
win10v2004-en-20220113
General
-
Target
14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe
-
Size
99KB
-
MD5
861efbe57e0c74977e0104edb9184dec
-
SHA1
f070aa10af8dcee7b0d00ebec0fde45a65810cad
-
SHA256
14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925
-
SHA512
46906fe2584c6572596660b1ae0be211a8935ccb72fcec68163ce6b0dabaeb759af5d12a0cf889f2afe1da7827f6cb1dddb48877ac8196c2f3349af30de512a7
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4788 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1308 svchost.exe Token: SeCreatePagefilePrivilege 1308 svchost.exe Token: SeShutdownPrivilege 1308 svchost.exe Token: SeCreatePagefilePrivilege 1308 svchost.exe Token: SeShutdownPrivilege 1308 svchost.exe Token: SeCreatePagefilePrivilege 1308 svchost.exe Token: SeIncBasePriorityPrivilege 420 14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe Token: SeBackupPrivilege 556 TiWorker.exe Token: SeRestorePrivilege 556 TiWorker.exe Token: SeSecurityPrivilege 556 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.execmd.exedescription pid process target process PID 420 wrote to memory of 4788 420 14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe MediaCenter.exe PID 420 wrote to memory of 4788 420 14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe MediaCenter.exe PID 420 wrote to memory of 4788 420 14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe MediaCenter.exe PID 420 wrote to memory of 2772 420 14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe cmd.exe PID 420 wrote to memory of 2772 420 14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe cmd.exe PID 420 wrote to memory of 2772 420 14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe cmd.exe PID 2772 wrote to memory of 3376 2772 cmd.exe PING.EXE PID 2772 wrote to memory of 3376 2772 cmd.exe PING.EXE PID 2772 wrote to memory of 3376 2772 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe"C:\Users\Admin\AppData\Local\Temp\14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14b1bdfad0c474a6b712dde20236f4e4a5c9d68a4cee46d51ed107017acf5925.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d357e3e88e68294c1b838fd00a6d9fd1
SHA15f6cbab2ea44cf3a878ec50a4dd6fb4d7aae4ba7
SHA256f7eb22a30467187af90172ab6144991b96c343c40c0d895735252e6f216b6b19
SHA51232aa40eb21d99d918d3c551e2b257f65cc3ca81103cf7a4afe11217da3a5b5a9bddea832ff8c3d8ae6d90ae94eab92e2ce7a05208507ba736e0a3bd0e3aa3c19
-
MD5
d357e3e88e68294c1b838fd00a6d9fd1
SHA15f6cbab2ea44cf3a878ec50a4dd6fb4d7aae4ba7
SHA256f7eb22a30467187af90172ab6144991b96c343c40c0d895735252e6f216b6b19
SHA51232aa40eb21d99d918d3c551e2b257f65cc3ca81103cf7a4afe11217da3a5b5a9bddea832ff8c3d8ae6d90ae94eab92e2ce7a05208507ba736e0a3bd0e3aa3c19