Analysis
-
max time kernel
127s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:36
Static task
static1
Behavioral task
behavioral1
Sample
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe
Resource
win10v2004-en-20220113
General
-
Target
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe
-
Size
80KB
-
MD5
0811c8f899b710859de5bc0bcf3da43f
-
SHA1
6549f7bb3a2ea25290284a0113d012d01e58356e
-
SHA256
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0
-
SHA512
1a52ddfa0c8823cbcc0416f3eea52f3f1eba5420c4b980c340fec7e4ba5e544508c5fcda6e3d73f175db311174d5b8ad8aab184cc9123bab0d13dde1af739feb
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1464 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 768 svchost.exe Token: SeCreatePagefilePrivilege 768 svchost.exe Token: SeShutdownPrivilege 768 svchost.exe Token: SeCreatePagefilePrivilege 768 svchost.exe Token: SeShutdownPrivilege 768 svchost.exe Token: SeCreatePagefilePrivilege 768 svchost.exe Token: SeIncBasePriorityPrivilege 1348 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.execmd.exedescription pid process target process PID 1348 wrote to memory of 1464 1348 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe MediaCenter.exe PID 1348 wrote to memory of 1464 1348 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe MediaCenter.exe PID 1348 wrote to memory of 1464 1348 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe MediaCenter.exe PID 1348 wrote to memory of 972 1348 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe cmd.exe PID 1348 wrote to memory of 972 1348 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe cmd.exe PID 1348 wrote to memory of 972 1348 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe cmd.exe PID 972 wrote to memory of 3896 972 cmd.exe PING.EXE PID 972 wrote to memory of 3896 972 cmd.exe PING.EXE PID 972 wrote to memory of 3896 972 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe"C:\Users\Admin\AppData\Local\Temp\123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:768
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3c734a8d9784d2274043246005fc2505
SHA1a0ae6c906be4b51d35c3cd320f3be4d3cd6265cb
SHA256fb04cb1c9a9c9a3a355aedc31e3095cd9c345d48b83eb55fa7e3366f642ecab6
SHA5120afdf1f4123b1bf238b23778ed384228fb89148e3f520e12c5e17155542da19bcb5d19149113915f70790006dbba7d107a025496273a6f501db4f668d33c24a5
-
MD5
3c734a8d9784d2274043246005fc2505
SHA1a0ae6c906be4b51d35c3cd320f3be4d3cd6265cb
SHA256fb04cb1c9a9c9a3a355aedc31e3095cd9c345d48b83eb55fa7e3366f642ecab6
SHA5120afdf1f4123b1bf238b23778ed384228fb89148e3f520e12c5e17155542da19bcb5d19149113915f70790006dbba7d107a025496273a6f501db4f668d33c24a5