Analysis
-
max time kernel
137s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:18
Static task
static1
Behavioral task
behavioral1
Sample
10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe
Resource
win10v2004-en-20220113
General
-
Target
10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe
-
Size
192KB
-
MD5
9b83026e0a57e417ce735fcf3ad9ffe0
-
SHA1
a99ea987805d69d042451e826384ffc242e57558
-
SHA256
10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775
-
SHA512
82b63b673861fc7dac25e555cac1700c17fee4036c6cb1fe3a80ee4600a7589b375496394fad5db45d99b537b751e9bddf28099b4f3f1868231114af30ad8724
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2420 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exedescription pid process Token: SeShutdownPrivilege 4700 svchost.exe Token: SeCreatePagefilePrivilege 4700 svchost.exe Token: SeShutdownPrivilege 4700 svchost.exe Token: SeCreatePagefilePrivilege 4700 svchost.exe Token: SeShutdownPrivilege 4700 svchost.exe Token: SeCreatePagefilePrivilege 4700 svchost.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeIncBasePriorityPrivilege 2056 10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe Token: SeBackupPrivilege 2028 TiWorker.exe Token: SeRestorePrivilege 2028 TiWorker.exe Token: SeSecurityPrivilege 2028 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.execmd.exedescription pid process target process PID 2056 wrote to memory of 2420 2056 10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe MediaCenter.exe PID 2056 wrote to memory of 2420 2056 10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe MediaCenter.exe PID 2056 wrote to memory of 2420 2056 10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe MediaCenter.exe PID 2056 wrote to memory of 3272 2056 10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe cmd.exe PID 2056 wrote to memory of 3272 2056 10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe cmd.exe PID 2056 wrote to memory of 3272 2056 10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe cmd.exe PID 3272 wrote to memory of 4004 3272 cmd.exe PING.EXE PID 3272 wrote to memory of 4004 3272 cmd.exe PING.EXE PID 3272 wrote to memory of 4004 3272 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe"C:\Users\Admin\AppData\Local\Temp\10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10575719341df64fbebf8ed8652195073a2a508a603a623b3f1791d90e15e775.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a5c3154504cd5c742ca69e352515a1c9
SHA18656712e5b01b1ae9dbc625cdde93cd5eb65fb51
SHA25662fa7cca5611f19374475243b180bd4a056a75712ff49476a7f036204cdd59a7
SHA5123e6b948d6f177c0018bb6608f8d36cd6890ad4c8b53312bfa50c5b73ec7ed8083545cdb2932ce0aa605d2f6f5b2048383ebbcf079c855dfa2a6f3832cc817007
-
MD5
a5c3154504cd5c742ca69e352515a1c9
SHA18656712e5b01b1ae9dbc625cdde93cd5eb65fb51
SHA25662fa7cca5611f19374475243b180bd4a056a75712ff49476a7f036204cdd59a7
SHA5123e6b948d6f177c0018bb6608f8d36cd6890ad4c8b53312bfa50c5b73ec7ed8083545cdb2932ce0aa605d2f6f5b2048383ebbcf079c855dfa2a6f3832cc817007