Analysis
-
max time kernel
148s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:58
Static task
static1
Behavioral task
behavioral1
Sample
11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe
Resource
win10v2004-en-20220113
General
-
Target
11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe
-
Size
192KB
-
MD5
0b48659caacc097862884c21a5f476c9
-
SHA1
a73cb5dfc1d600ba4cb00b6f2fe597930315c75b
-
SHA256
11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc
-
SHA512
402e7fbb91e51d53e8bf2f9c25dd138b9827cf5d02fb5a1cfd23246c2eece69cd3edcec0b51229afea2cbb3b22580efa91072dddf7733e9bbfe47ae674f0648a
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3320 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 5008 11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe Token: SeShutdownPrivilege 4660 svchost.exe Token: SeCreatePagefilePrivilege 4660 svchost.exe Token: SeShutdownPrivilege 4660 svchost.exe Token: SeCreatePagefilePrivilege 4660 svchost.exe Token: SeShutdownPrivilege 4660 svchost.exe Token: SeCreatePagefilePrivilege 4660 svchost.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe Token: SeBackupPrivilege 1748 TiWorker.exe Token: SeRestorePrivilege 1748 TiWorker.exe Token: SeSecurityPrivilege 1748 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.execmd.exedescription pid process target process PID 5008 wrote to memory of 3320 5008 11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe MediaCenter.exe PID 5008 wrote to memory of 3320 5008 11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe MediaCenter.exe PID 5008 wrote to memory of 3320 5008 11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe MediaCenter.exe PID 5008 wrote to memory of 4320 5008 11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe cmd.exe PID 5008 wrote to memory of 4320 5008 11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe cmd.exe PID 5008 wrote to memory of 4320 5008 11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe cmd.exe PID 4320 wrote to memory of 2792 4320 cmd.exe PING.EXE PID 4320 wrote to memory of 2792 4320 cmd.exe PING.EXE PID 4320 wrote to memory of 2792 4320 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe"C:\Users\Admin\AppData\Local\Temp\11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11378f5060d6275dacde98a474fb2fcdb9eb9733f39174985a6d7de0420bd0dc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
52c4ce970e1357a037749b2d8d49a0eb
SHA19764ee5556969de02ab337581138c48976d45586
SHA25607c0b37a7ba20f14b4b06eb9e9bd1a7c539234184054c89ee449d1d012820db6
SHA512f13d3a0b45c16c5168c50433fb307b64f4a19b58eeee6f858e28f967e4c700ac2412036b8532cee11d1634a6cbe4c347b8fd9d3ee38debd3d94c0c865345fd02
-
MD5
52c4ce970e1357a037749b2d8d49a0eb
SHA19764ee5556969de02ab337581138c48976d45586
SHA25607c0b37a7ba20f14b4b06eb9e9bd1a7c539234184054c89ee449d1d012820db6
SHA512f13d3a0b45c16c5168c50433fb307b64f4a19b58eeee6f858e28f967e4c700ac2412036b8532cee11d1634a6cbe4c347b8fd9d3ee38debd3d94c0c865345fd02