Analysis
-
max time kernel
139s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:57
Static task
static1
Behavioral task
behavioral1
Sample
13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe
Resource
win10v2004-en-20220113
General
-
Target
13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe
-
Size
101KB
-
MD5
9a107782176d171f1a9dcafab3d72a33
-
SHA1
4ded1641b5e295363a107030324fec1e258c5653
-
SHA256
13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1
-
SHA512
0adad277fd8954f34a91585087c55841a4ba2d37d1f4ccf688d4f6dfe53e4342cb12e8527eb66e0435bd939fb9be96848575d4b5104748465c5de9f8d5e3c589
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4060 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exedescription pid process Token: SeShutdownPrivilege 1796 svchost.exe Token: SeCreatePagefilePrivilege 1796 svchost.exe Token: SeShutdownPrivilege 1796 svchost.exe Token: SeCreatePagefilePrivilege 1796 svchost.exe Token: SeShutdownPrivilege 1796 svchost.exe Token: SeCreatePagefilePrivilege 1796 svchost.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeIncBasePriorityPrivilege 3812 13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe Token: SeBackupPrivilege 3520 TiWorker.exe Token: SeRestorePrivilege 3520 TiWorker.exe Token: SeSecurityPrivilege 3520 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.execmd.exedescription pid process target process PID 3812 wrote to memory of 4060 3812 13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe MediaCenter.exe PID 3812 wrote to memory of 4060 3812 13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe MediaCenter.exe PID 3812 wrote to memory of 4060 3812 13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe MediaCenter.exe PID 3812 wrote to memory of 3560 3812 13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe cmd.exe PID 3812 wrote to memory of 3560 3812 13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe cmd.exe PID 3812 wrote to memory of 3560 3812 13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe cmd.exe PID 3560 wrote to memory of 4184 3560 cmd.exe PING.EXE PID 3560 wrote to memory of 4184 3560 cmd.exe PING.EXE PID 3560 wrote to memory of 4184 3560 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe"C:\Users\Admin\AppData\Local\Temp\13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13f8f57747092ad5875e5a67c11af7ef10daf44a5c0b7bf0e4323af8d46d2dd1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3520
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b7082a87be704478aa59c88df4bbb4cb
SHA1b5affb9ec7102d29eb1cb9af4694d36baa0342c7
SHA2562147155d446dc3ec0d43f2bf1d20ab29ccf0154e726996ea21177c74d621eabe
SHA512974267d5399e07bd7fbe2aeafac6639b26d0296956a497be5c86eab8bcfffaa41fe6a041ac50eaba0fb20b061deaeef7fa79cb17b07094eae0bebde1036a8331
-
MD5
b7082a87be704478aa59c88df4bbb4cb
SHA1b5affb9ec7102d29eb1cb9af4694d36baa0342c7
SHA2562147155d446dc3ec0d43f2bf1d20ab29ccf0154e726996ea21177c74d621eabe
SHA512974267d5399e07bd7fbe2aeafac6639b26d0296956a497be5c86eab8bcfffaa41fe6a041ac50eaba0fb20b061deaeef7fa79cb17b07094eae0bebde1036a8331