Analysis
-
max time kernel
142s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:05
Static task
static1
Behavioral task
behavioral1
Sample
10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe
Resource
win10v2004-en-20220113
General
-
Target
10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe
-
Size
144KB
-
MD5
c01ac940703a9d969d755ed34a4fe0da
-
SHA1
d8697d9eb1528e677401262df8204e3f1eb6a732
-
SHA256
10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd
-
SHA512
07d9363efb3b164d5d7ac7a6aaa17131781e3e467c0ccbf0ebbc71feb0ff28630b7dd7e532b1fdda829b7f97ce352c7f518c5c91825f7ae9fdf443883723ecb3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2380 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3972 svchost.exe Token: SeCreatePagefilePrivilege 3972 svchost.exe Token: SeShutdownPrivilege 3972 svchost.exe Token: SeCreatePagefilePrivilege 3972 svchost.exe Token: SeShutdownPrivilege 3972 svchost.exe Token: SeCreatePagefilePrivilege 3972 svchost.exe Token: SeIncBasePriorityPrivilege 940 10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.execmd.exedescription pid process target process PID 940 wrote to memory of 2380 940 10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe MediaCenter.exe PID 940 wrote to memory of 2380 940 10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe MediaCenter.exe PID 940 wrote to memory of 2380 940 10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe MediaCenter.exe PID 940 wrote to memory of 3704 940 10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe cmd.exe PID 940 wrote to memory of 3704 940 10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe cmd.exe PID 940 wrote to memory of 3704 940 10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe cmd.exe PID 3704 wrote to memory of 3888 3704 cmd.exe PING.EXE PID 3704 wrote to memory of 3888 3704 cmd.exe PING.EXE PID 3704 wrote to memory of 3888 3704 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe"C:\Users\Admin\AppData\Local\Temp\10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10eebb5cae369a1aaaa8eca159b940114c14e34a2e31a04722ac272038e325bd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8f84d1e3543780a34c2c47282e64e6be
SHA13c248300ba1f4bdec29c0cad12e49bb7e5ef8d83
SHA256a4887af0077bde469f3867fbf7e1bcd09139e443fb3a7f20b89a6a431dfd3c57
SHA5128354c4672594445046551ed831c91df0ffcf04fce0b2048c56cc0c6bd3e418132efa09c0538057b10b9b5d5cb7e558941f8e5ce7e7b5791ca8316034a5a747d0
-
MD5
8f84d1e3543780a34c2c47282e64e6be
SHA13c248300ba1f4bdec29c0cad12e49bb7e5ef8d83
SHA256a4887af0077bde469f3867fbf7e1bcd09139e443fb3a7f20b89a6a431dfd3c57
SHA5128354c4672594445046551ed831c91df0ffcf04fce0b2048c56cc0c6bd3e418132efa09c0538057b10b9b5d5cb7e558941f8e5ce7e7b5791ca8316034a5a747d0