Analysis
-
max time kernel
147s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:35
Static task
static1
Behavioral task
behavioral1
Sample
123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe
Resource
win10v2004-en-20220113
General
-
Target
123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe
-
Size
100KB
-
MD5
e773ec0752c5bacc01532e14c98c485c
-
SHA1
cfb34eca2f901de70d4b0056247bb9bc40bc7a85
-
SHA256
123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac
-
SHA512
1bf1941da3c6dc64fc02a3c431defbb8d6e3859612c2ffed471eeb6faf8de023633ca288687a817ad145324450faf7fb00f94bd8bf74abaae4179bb222970b16
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3644 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exedescription pid process Token: SeShutdownPrivilege 3232 svchost.exe Token: SeCreatePagefilePrivilege 3232 svchost.exe Token: SeShutdownPrivilege 3232 svchost.exe Token: SeCreatePagefilePrivilege 3232 svchost.exe Token: SeShutdownPrivilege 3232 svchost.exe Token: SeCreatePagefilePrivilege 3232 svchost.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeIncBasePriorityPrivilege 1348 123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.execmd.exedescription pid process target process PID 1348 wrote to memory of 3644 1348 123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe MediaCenter.exe PID 1348 wrote to memory of 3644 1348 123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe MediaCenter.exe PID 1348 wrote to memory of 3644 1348 123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe MediaCenter.exe PID 1348 wrote to memory of 4180 1348 123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe cmd.exe PID 1348 wrote to memory of 4180 1348 123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe cmd.exe PID 1348 wrote to memory of 4180 1348 123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe cmd.exe PID 4180 wrote to memory of 4236 4180 cmd.exe PING.EXE PID 4180 wrote to memory of 4236 4180 cmd.exe PING.EXE PID 4180 wrote to memory of 4236 4180 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe"C:\Users\Admin\AppData\Local\Temp\123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\123fe43926d2e340bd1f064dd8f4b6bdbe59d334a575986a09b635aba6eb4bac.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4236
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0d53a448a1e7a8638d1f99f39bfe19b4
SHA1e6d553de3de6b264477947e7dbd3fcb5db4d85a3
SHA2568a4f5addfa3960eb2f7b7043c7d2718e4260f98a2674f75a7b50952433e88d15
SHA5127cb01fd6489e936e546751ec89679bf714aecb410456f39aed0d60d73260fe3e6ec033d87ccab66572aaedabc806773924fea1e7b6a559038b4c92760acd4394
-
MD5
0d53a448a1e7a8638d1f99f39bfe19b4
SHA1e6d553de3de6b264477947e7dbd3fcb5db4d85a3
SHA2568a4f5addfa3960eb2f7b7043c7d2718e4260f98a2674f75a7b50952433e88d15
SHA5127cb01fd6489e936e546751ec89679bf714aecb410456f39aed0d60d73260fe3e6ec033d87ccab66572aaedabc806773924fea1e7b6a559038b4c92760acd4394