Analysis
-
max time kernel
140s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:36
Static task
static1
Behavioral task
behavioral1
Sample
1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe
Resource
win10v2004-en-20220113
General
-
Target
1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe
-
Size
101KB
-
MD5
c369ca10aa97ecad36e8f938f60d5052
-
SHA1
5decc4b5539cc10e8de7f52a514350ef36621dde
-
SHA256
1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e
-
SHA512
51e3a0970f01fa0c0274b20504ac080289793eb80a6a4524277abcadf8ad83816b77fa730e179f5af6b2f150f8ad3a3707b1a7ad006174b61ce8a49d3669f286
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4608 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3676 svchost.exe Token: SeCreatePagefilePrivilege 3676 svchost.exe Token: SeShutdownPrivilege 3676 svchost.exe Token: SeCreatePagefilePrivilege 3676 svchost.exe Token: SeShutdownPrivilege 3676 svchost.exe Token: SeCreatePagefilePrivilege 3676 svchost.exe Token: SeIncBasePriorityPrivilege 2696 1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.execmd.exedescription pid process target process PID 2696 wrote to memory of 4608 2696 1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe MediaCenter.exe PID 2696 wrote to memory of 4608 2696 1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe MediaCenter.exe PID 2696 wrote to memory of 4608 2696 1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe MediaCenter.exe PID 2696 wrote to memory of 3200 2696 1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe cmd.exe PID 2696 wrote to memory of 3200 2696 1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe cmd.exe PID 2696 wrote to memory of 3200 2696 1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe cmd.exe PID 3200 wrote to memory of 772 3200 cmd.exe PING.EXE PID 3200 wrote to memory of 772 3200 cmd.exe PING.EXE PID 3200 wrote to memory of 772 3200 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe"C:\Users\Admin\AppData\Local\Temp\1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1236d9d30afe25b0ae5f30b596107aaa05bda455255b8861e6c3a5b089fdbd0e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1f3be199f5c5e0e35b9c8e5a5dd65ab6
SHA1971615efda4531a31b3d134351ff873bc5ac30b6
SHA256cd342bd09d8c923c203df274cf8921798a8e04ed8dc9bf1d3a7cbd2f3c852858
SHA512a42cb061c109eba95e6fc6a328cc8bed3b10035b1dfba9b8b25a58e6dd8dbf86058ff2f2b53c5f4787d1b3705e44f05210f27a2098a267abab632116e9c7c37a
-
MD5
1f3be199f5c5e0e35b9c8e5a5dd65ab6
SHA1971615efda4531a31b3d134351ff873bc5ac30b6
SHA256cd342bd09d8c923c203df274cf8921798a8e04ed8dc9bf1d3a7cbd2f3c852858
SHA512a42cb061c109eba95e6fc6a328cc8bed3b10035b1dfba9b8b25a58e6dd8dbf86058ff2f2b53c5f4787d1b3705e44f05210f27a2098a267abab632116e9c7c37a