Analysis
-
max time kernel
122s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:48
Static task
static1
Behavioral task
behavioral1
Sample
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe
Resource
win10v2004-en-20220113
General
-
Target
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe
-
Size
99KB
-
MD5
d165c639f01cb9433571f35b64417a64
-
SHA1
552ebf9b7e756359e8b6e3986a3852b5325a2bee
-
SHA256
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941
-
SHA512
9465a71b87d69644d772f7396aea9e349213b211f915a6929c3871646cba3359433e21bac4d2bd2791dcd17ef1960966c9a95bae6666116d7ad73280533fb5b6
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1428 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4784 svchost.exe Token: SeCreatePagefilePrivilege 4784 svchost.exe Token: SeShutdownPrivilege 4784 svchost.exe Token: SeCreatePagefilePrivilege 4784 svchost.exe Token: SeShutdownPrivilege 4784 svchost.exe Token: SeCreatePagefilePrivilege 4784 svchost.exe Token: SeIncBasePriorityPrivilege 1304 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe Token: SeBackupPrivilege 4328 TiWorker.exe Token: SeRestorePrivilege 4328 TiWorker.exe Token: SeSecurityPrivilege 4328 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.execmd.exedescription pid process target process PID 1304 wrote to memory of 1428 1304 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe MediaCenter.exe PID 1304 wrote to memory of 1428 1304 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe MediaCenter.exe PID 1304 wrote to memory of 1428 1304 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe MediaCenter.exe PID 1304 wrote to memory of 2028 1304 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe cmd.exe PID 1304 wrote to memory of 2028 1304 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe cmd.exe PID 1304 wrote to memory of 2028 1304 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe cmd.exe PID 2028 wrote to memory of 4732 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 4732 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 4732 2028 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe"C:\Users\Admin\AppData\Local\Temp\14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2e3aef80be36f175384ab71be851d229
SHA136666bf0cf4a6be7adb9152bdaccf11ab8f6a491
SHA2567f52d03a381e624a43df7347c678b9bf8938b32186374dbece4994b4e6faf98e
SHA512136781735f12fbe11521ef4e3a9f34a32940586d3492e9b2ecf20d3d4cf3a69421ed8f9ca186774f5680a548dcaf02efbbeae5670e7637bb51816ab5a3958301
-
MD5
2e3aef80be36f175384ab71be851d229
SHA136666bf0cf4a6be7adb9152bdaccf11ab8f6a491
SHA2567f52d03a381e624a43df7347c678b9bf8938b32186374dbece4994b4e6faf98e
SHA512136781735f12fbe11521ef4e3a9f34a32940586d3492e9b2ecf20d3d4cf3a69421ed8f9ca186774f5680a548dcaf02efbbeae5670e7637bb51816ab5a3958301