Analysis
-
max time kernel
158s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:58
Static task
static1
Behavioral task
behavioral1
Sample
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe
Resource
win10v2004-en-20220113
General
-
Target
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe
-
Size
150KB
-
MD5
b5d3c0728736eeb2227e4e92cf9f5d58
-
SHA1
99c367f1252bd0f1611a1a3c7c41c9164e820636
-
SHA256
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484
-
SHA512
bbb4112e6f827abcc9bac7d5713176eef0773d34caee4fde1ebfb4ab3d43f1284fe7c387a3f3999e7555d9eb7dbf42aa3603d5c6c79a99764932d3e4e85154b1
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1552 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1344 svchost.exe Token: SeCreatePagefilePrivilege 1344 svchost.exe Token: SeShutdownPrivilege 1344 svchost.exe Token: SeCreatePagefilePrivilege 1344 svchost.exe Token: SeShutdownPrivilege 1344 svchost.exe Token: SeCreatePagefilePrivilege 1344 svchost.exe Token: SeIncBasePriorityPrivilege 1312 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe Token: SeBackupPrivilege 1704 TiWorker.exe Token: SeRestorePrivilege 1704 TiWorker.exe Token: SeSecurityPrivilege 1704 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.execmd.exedescription pid process target process PID 1312 wrote to memory of 1552 1312 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe MediaCenter.exe PID 1312 wrote to memory of 1552 1312 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe MediaCenter.exe PID 1312 wrote to memory of 1552 1312 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe MediaCenter.exe PID 1312 wrote to memory of 2844 1312 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe cmd.exe PID 1312 wrote to memory of 2844 1312 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe cmd.exe PID 1312 wrote to memory of 2844 1312 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe cmd.exe PID 2844 wrote to memory of 3060 2844 cmd.exe PING.EXE PID 2844 wrote to memory of 3060 2844 cmd.exe PING.EXE PID 2844 wrote to memory of 3060 2844 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe"C:\Users\Admin\AppData\Local\Temp\11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ab99bb98fd54b4adfc3f53b960ff60fa
SHA1d845a10e45d033271a196c9375ca492abeb6a2b4
SHA2565d7b168933179c5bf912959685c7f3da76e278ac9fb1bdba5f1f54dc246615b6
SHA512a814fd746985153923f49219aff851181e4ffa03c4d652d985f9368f60218ed1bc3b8267da3713a2001adb5d08da16e00c88fca3af5ae840b97c4c7aa6e87747
-
MD5
ab99bb98fd54b4adfc3f53b960ff60fa
SHA1d845a10e45d033271a196c9375ca492abeb6a2b4
SHA2565d7b168933179c5bf912959685c7f3da76e278ac9fb1bdba5f1f54dc246615b6
SHA512a814fd746985153923f49219aff851181e4ffa03c4d652d985f9368f60218ed1bc3b8267da3713a2001adb5d08da16e00c88fca3af5ae840b97c4c7aa6e87747