Analysis
-
max time kernel
146s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:19
Static task
static1
Behavioral task
behavioral1
Sample
131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe
Resource
win10v2004-en-20220113
General
-
Target
131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe
-
Size
150KB
-
MD5
c2ef42bef2e5b16ab7950a88f99c55f2
-
SHA1
4240e039005ae84cb23e8d89cbb4e8d8e5e2601e
-
SHA256
131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d
-
SHA512
f892f4c59ec076ef86e8e48ddd703329268eb550aa39f238a04d9f5f41a56eac5fb070c0fa228349fc3cdfeb261526dad5e2e979cba753d48c42c04858d30f28
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1888 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exedescription pid process Token: SeShutdownPrivilege 4460 svchost.exe Token: SeCreatePagefilePrivilege 4460 svchost.exe Token: SeShutdownPrivilege 4460 svchost.exe Token: SeCreatePagefilePrivilege 4460 svchost.exe Token: SeShutdownPrivilege 4460 svchost.exe Token: SeCreatePagefilePrivilege 4460 svchost.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeIncBasePriorityPrivilege 4800 131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe Token: SeBackupPrivilege 1344 TiWorker.exe Token: SeRestorePrivilege 1344 TiWorker.exe Token: SeSecurityPrivilege 1344 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.execmd.exedescription pid process target process PID 4800 wrote to memory of 1888 4800 131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe MediaCenter.exe PID 4800 wrote to memory of 1888 4800 131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe MediaCenter.exe PID 4800 wrote to memory of 1888 4800 131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe MediaCenter.exe PID 4800 wrote to memory of 5064 4800 131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe cmd.exe PID 4800 wrote to memory of 5064 4800 131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe cmd.exe PID 4800 wrote to memory of 5064 4800 131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe cmd.exe PID 5064 wrote to memory of 5084 5064 cmd.exe PING.EXE PID 5064 wrote to memory of 5084 5064 cmd.exe PING.EXE PID 5064 wrote to memory of 5084 5064 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe"C:\Users\Admin\AppData\Local\Temp\131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\131820b0078c9a47260d89e693de314f6c83ca501c2ba3b79373003f412a181d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1344
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9f2298e0286c8af597a846233c0bebaa
SHA19eb8f990aed2c2cef46fbd801704e3435de80c6d
SHA2569f4a921f9f4df7b497e39992b5945792eef212f37ca2285618eeb3ee19ce527f
SHA512eacba40a8414d4086e84ad085bc701a218208609a143108d66bdee102a505d8793307f334b5a2ca25896406dba9f7130a4ed476f2d230be831c0081f5990967f
-
MD5
9f2298e0286c8af597a846233c0bebaa
SHA19eb8f990aed2c2cef46fbd801704e3435de80c6d
SHA2569f4a921f9f4df7b497e39992b5945792eef212f37ca2285618eeb3ee19ce527f
SHA512eacba40a8414d4086e84ad085bc701a218208609a143108d66bdee102a505d8793307f334b5a2ca25896406dba9f7130a4ed476f2d230be831c0081f5990967f