Analysis
-
max time kernel
133s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:44
Static task
static1
Behavioral task
behavioral1
Sample
14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe
Resource
win10v2004-en-20220113
General
-
Target
14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe
-
Size
99KB
-
MD5
011875d3ad29c037fa7e3bb28025f500
-
SHA1
c293041014e54e3d7429164387d1d5c00fc47f5e
-
SHA256
14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715
-
SHA512
704fa167b4d3ed29998fbf03f86604206502dcc39834fce3cf71da0b1c13a88f3671241e23689272ebb5e820bdccbbc63771901197c162d28f50a5d0b1a79b09
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3744 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2288 svchost.exe Token: SeCreatePagefilePrivilege 2288 svchost.exe Token: SeShutdownPrivilege 2288 svchost.exe Token: SeCreatePagefilePrivilege 2288 svchost.exe Token: SeShutdownPrivilege 2288 svchost.exe Token: SeCreatePagefilePrivilege 2288 svchost.exe Token: SeIncBasePriorityPrivilege 2396 14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe Token: SeBackupPrivilege 852 TiWorker.exe Token: SeRestorePrivilege 852 TiWorker.exe Token: SeSecurityPrivilege 852 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.execmd.exedescription pid process target process PID 2396 wrote to memory of 3744 2396 14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe MediaCenter.exe PID 2396 wrote to memory of 3744 2396 14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe MediaCenter.exe PID 2396 wrote to memory of 3744 2396 14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe MediaCenter.exe PID 2396 wrote to memory of 3620 2396 14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe cmd.exe PID 2396 wrote to memory of 3620 2396 14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe cmd.exe PID 2396 wrote to memory of 3620 2396 14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe cmd.exe PID 3620 wrote to memory of 824 3620 cmd.exe PING.EXE PID 3620 wrote to memory of 824 3620 cmd.exe PING.EXE PID 3620 wrote to memory of 824 3620 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe"C:\Users\Admin\AppData\Local\Temp\14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14acb4eb5b7f5c1d38e81846736ce34bda40ebfca708c731d16b7389afdf6715.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:852
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4065ab3c888d26634da10c531e57ea81
SHA18690a7d14d8844240d4516c6d7710ee2225b7f43
SHA256d3407f1fcae318105466b93477bc678a325129e4e4bfee42e2e03a3a325e025a
SHA512343230c0cc59a8f0caa4e30909a65bcf483b3ab2d71f77429a8e477b5039824cfeafaaa06bd042b0f599ce9d68deca6948af5468435d02dbe55ad482ac54f3d3
-
MD5
4065ab3c888d26634da10c531e57ea81
SHA18690a7d14d8844240d4516c6d7710ee2225b7f43
SHA256d3407f1fcae318105466b93477bc678a325129e4e4bfee42e2e03a3a325e025a
SHA512343230c0cc59a8f0caa4e30909a65bcf483b3ab2d71f77429a8e477b5039824cfeafaaa06bd042b0f599ce9d68deca6948af5468435d02dbe55ad482ac54f3d3