Analysis
-
max time kernel
149s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:49
Static task
static1
Behavioral task
behavioral1
Sample
14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe
Resource
win10v2004-en-20220113
General
-
Target
14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe
-
Size
100KB
-
MD5
5d18c003d65ac42ce7b40e0ca0efc6c0
-
SHA1
cbb287953aca194ae5bc9318701f49507923810a
-
SHA256
14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee
-
SHA512
bec8a4b76dac1b5676d574cd6a9c0a82d487febfd958ae68e8861b1a778125ec8ff38a00d7f4b6d30b82942e7d9ecb880d549669a8574a2dda8fcce2411c41f6
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1336 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3344 svchost.exe Token: SeCreatePagefilePrivilege 3344 svchost.exe Token: SeShutdownPrivilege 3344 svchost.exe Token: SeCreatePagefilePrivilege 3344 svchost.exe Token: SeShutdownPrivilege 3344 svchost.exe Token: SeCreatePagefilePrivilege 3344 svchost.exe Token: SeIncBasePriorityPrivilege 1984 14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe Token: SeBackupPrivilege 2748 TiWorker.exe Token: SeRestorePrivilege 2748 TiWorker.exe Token: SeSecurityPrivilege 2748 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.execmd.exedescription pid process target process PID 1984 wrote to memory of 1336 1984 14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe MediaCenter.exe PID 1984 wrote to memory of 1336 1984 14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe MediaCenter.exe PID 1984 wrote to memory of 1336 1984 14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe MediaCenter.exe PID 1984 wrote to memory of 3436 1984 14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe cmd.exe PID 1984 wrote to memory of 3436 1984 14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe cmd.exe PID 1984 wrote to memory of 3436 1984 14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe cmd.exe PID 3436 wrote to memory of 3484 3436 cmd.exe PING.EXE PID 3436 wrote to memory of 3484 3436 cmd.exe PING.EXE PID 3436 wrote to memory of 3484 3436 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe"C:\Users\Admin\AppData\Local\Temp\14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14524ae7e417319ea3ad67b155282edb3e447efd89e348d43f8f1b07982bf4ee.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
63e36543636d11f398e2da2457172d47
SHA13a7c5539e9a186bfbcd30813f2a3915551781857
SHA256013bdbda7676df1a76445383f81ea49d0b223de94864ed887a7da7b555b6c782
SHA512d3f01a602c7374b3f24b7020010f5a79a7317e224f8601134938b95fecf10e7378b0e7cf4736dd03bcf0b3dd4eda34fb7b5b44e53342d0b676edc7e2eaaa5b75
-
MD5
63e36543636d11f398e2da2457172d47
SHA13a7c5539e9a186bfbcd30813f2a3915551781857
SHA256013bdbda7676df1a76445383f81ea49d0b223de94864ed887a7da7b555b6c782
SHA512d3f01a602c7374b3f24b7020010f5a79a7317e224f8601134938b95fecf10e7378b0e7cf4736dd03bcf0b3dd4eda34fb7b5b44e53342d0b676edc7e2eaaa5b75