Analysis
-
max time kernel
158s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:05
Static task
static1
Behavioral task
behavioral1
Sample
13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe
Resource
win10v2004-en-20220113
General
-
Target
13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe
-
Size
80KB
-
MD5
c72cb3d8e5a6f19b48154d06118442de
-
SHA1
832d814156872864acef2eafb59be020d7b5b722
-
SHA256
13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f
-
SHA512
4a325eeaa9e4cd938036c6a4294f8e7727c32f4402a5a0bcbac0e60adf44c9c90fc20a699bf5a6cd823dc97201f11780cfe37bafe29a93175c577edcdf94eb79
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4668 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3896 svchost.exe Token: SeCreatePagefilePrivilege 3896 svchost.exe Token: SeShutdownPrivilege 3896 svchost.exe Token: SeCreatePagefilePrivilege 3896 svchost.exe Token: SeShutdownPrivilege 3896 svchost.exe Token: SeCreatePagefilePrivilege 3896 svchost.exe Token: SeIncBasePriorityPrivilege 4744 13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.execmd.exedescription pid process target process PID 4744 wrote to memory of 4668 4744 13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe MediaCenter.exe PID 4744 wrote to memory of 4668 4744 13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe MediaCenter.exe PID 4744 wrote to memory of 4668 4744 13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe MediaCenter.exe PID 4744 wrote to memory of 5060 4744 13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe cmd.exe PID 4744 wrote to memory of 5060 4744 13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe cmd.exe PID 4744 wrote to memory of 5060 4744 13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe cmd.exe PID 5060 wrote to memory of 1204 5060 cmd.exe PING.EXE PID 5060 wrote to memory of 1204 5060 cmd.exe PING.EXE PID 5060 wrote to memory of 1204 5060 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe"C:\Users\Admin\AppData\Local\Temp\13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13bb1014495e433dd8f799fc7fd3207f3d63b00da79f30a984468fdc91b7019f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1204
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1708
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ae5ddad32ad8cb051d9191e38b8ddeb1
SHA19ac5577901579922d5eda1c3962b90180c703091
SHA256acbd6eec18ba67cd556fa57faf237ea6e6bd77b64cc635237d02a033a3d3e90f
SHA512cbe5fdab099c8607165ef0410945ed93e7259c5e8b56d35a950ce940fe1d3e5947817027dea4c808b556cf9d197722058e20c25a7f7ad8e49d26bac2f91adaf9
-
MD5
ae5ddad32ad8cb051d9191e38b8ddeb1
SHA19ac5577901579922d5eda1c3962b90180c703091
SHA256acbd6eec18ba67cd556fa57faf237ea6e6bd77b64cc635237d02a033a3d3e90f
SHA512cbe5fdab099c8607165ef0410945ed93e7259c5e8b56d35a950ce940fe1d3e5947817027dea4c808b556cf9d197722058e20c25a7f7ad8e49d26bac2f91adaf9