Analysis
-
max time kernel
143s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:49
Static task
static1
Behavioral task
behavioral1
Sample
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe
Resource
win10v2004-en-20220113
General
-
Target
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe
-
Size
101KB
-
MD5
5ff458f2a79fe48205000392f098c60e
-
SHA1
85d628a474fad084f467d605b7f98328a6836ed1
-
SHA256
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05
-
SHA512
c77f7668ae49e02cbd66117d1710ff9b547335d2cc12767f6fde0d5825b2a4af9d91211e0ce037a9473402262e8a8815ee8af820cf48711c310e1f0dc7c34ca5
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4928 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exedescription pid process Token: SeShutdownPrivilege 4748 svchost.exe Token: SeCreatePagefilePrivilege 4748 svchost.exe Token: SeShutdownPrivilege 4748 svchost.exe Token: SeCreatePagefilePrivilege 4748 svchost.exe Token: SeShutdownPrivilege 4748 svchost.exe Token: SeCreatePagefilePrivilege 4748 svchost.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeIncBasePriorityPrivilege 1412 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe Token: SeBackupPrivilege 3640 TiWorker.exe Token: SeRestorePrivilege 3640 TiWorker.exe Token: SeSecurityPrivilege 3640 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.execmd.exedescription pid process target process PID 1412 wrote to memory of 4928 1412 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe MediaCenter.exe PID 1412 wrote to memory of 4928 1412 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe MediaCenter.exe PID 1412 wrote to memory of 4928 1412 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe MediaCenter.exe PID 1412 wrote to memory of 4676 1412 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe cmd.exe PID 1412 wrote to memory of 4676 1412 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe cmd.exe PID 1412 wrote to memory of 4676 1412 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe cmd.exe PID 4676 wrote to memory of 3860 4676 cmd.exe PING.EXE PID 4676 wrote to memory of 3860 4676 cmd.exe PING.EXE PID 4676 wrote to memory of 3860 4676 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe"C:\Users\Admin\AppData\Local\Temp\1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f5dd30218bed3444a9e3cfbe2467b978
SHA10e43f91440e3d0857ff4bb127a281a66d655bf8f
SHA2562fd9aa3c7c1ff8082c364cc03b4fa731e6f6e6269bb19a2598494d197458549e
SHA512f632335b9d45edbc2fb49a960eab6ecd54a65dc79eaabdf01907d21e287e05d30387493959c2233344ffb7c1ffd5bc1d18e773cedcd18c886118f67f9db55923
-
MD5
f5dd30218bed3444a9e3cfbe2467b978
SHA10e43f91440e3d0857ff4bb127a281a66d655bf8f
SHA2562fd9aa3c7c1ff8082c364cc03b4fa731e6f6e6269bb19a2598494d197458549e
SHA512f632335b9d45edbc2fb49a960eab6ecd54a65dc79eaabdf01907d21e287e05d30387493959c2233344ffb7c1ffd5bc1d18e773cedcd18c886118f67f9db55923