Analysis
-
max time kernel
145s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:49
Static task
static1
Behavioral task
behavioral1
Sample
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe
Resource
win10v2004-en-20220113
General
-
Target
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe
-
Size
101KB
-
MD5
e5c8f39466b7e7343bd17daf0a0baa29
-
SHA1
c40dd448870a1bcdf6ff1edaa5a0bb99768aed35
-
SHA256
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c
-
SHA512
8eab8ea899ebe3edf5b5e2dbaf0924291fac056a5fc71bc79ef829f8a92263aacf174046d9de4371bcb7647c6897f5330bd1769b02dcc3605fb50cd1a47b0e25
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1508 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1564 svchost.exe Token: SeCreatePagefilePrivilege 1564 svchost.exe Token: SeShutdownPrivilege 1564 svchost.exe Token: SeCreatePagefilePrivilege 1564 svchost.exe Token: SeShutdownPrivilege 1564 svchost.exe Token: SeCreatePagefilePrivilege 1564 svchost.exe Token: SeIncBasePriorityPrivilege 1424 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe Token: SeBackupPrivilege 1788 TiWorker.exe Token: SeRestorePrivilege 1788 TiWorker.exe Token: SeSecurityPrivilege 1788 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.execmd.exedescription pid process target process PID 1424 wrote to memory of 1508 1424 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe MediaCenter.exe PID 1424 wrote to memory of 1508 1424 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe MediaCenter.exe PID 1424 wrote to memory of 1508 1424 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe MediaCenter.exe PID 1424 wrote to memory of 628 1424 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe cmd.exe PID 1424 wrote to memory of 628 1424 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe cmd.exe PID 1424 wrote to memory of 628 1424 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe cmd.exe PID 628 wrote to memory of 1440 628 cmd.exe PING.EXE PID 628 wrote to memory of 1440 628 cmd.exe PING.EXE PID 628 wrote to memory of 1440 628 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe"C:\Users\Admin\AppData\Local\Temp\14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
24484df7097f9d85ccdc331629fb960f
SHA183d07129244ec9254fe4f734a4f16819356a239a
SHA2569b5ec1066c6eb61e97c456c7eaca03bc6deced6629bcce07469b6b534439ebe3
SHA512abce6046fb73d2ca9bff75c741058a67fb0da6c2abbfdab56af3a6bf51c164b952cbe52e84e77cc1678c62a5d4c5d54e3cf818b2b2581ed31d45ec07f5e25b30
-
MD5
24484df7097f9d85ccdc331629fb960f
SHA183d07129244ec9254fe4f734a4f16819356a239a
SHA2569b5ec1066c6eb61e97c456c7eaca03bc6deced6629bcce07469b6b534439ebe3
SHA512abce6046fb73d2ca9bff75c741058a67fb0da6c2abbfdab56af3a6bf51c164b952cbe52e84e77cc1678c62a5d4c5d54e3cf818b2b2581ed31d45ec07f5e25b30