Analysis
-
max time kernel
141s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:04
Static task
static1
Behavioral task
behavioral1
Sample
10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe
Resource
win10v2004-en-20220113
General
-
Target
10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe
-
Size
99KB
-
MD5
2c147b1cf92124eee935a2e27fdf9809
-
SHA1
1bdd51963c221b8554d93eb0af7b50b75edf9543
-
SHA256
10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362
-
SHA512
6e2bb9e17efeceef7bc5f66cff8c79aca0d9f7a5584a013268958509af38caddd0ab5c25e3196a09594597dae8153cce45257bcd23fc14a586ef0e0aa8daf8ce
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1428 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1272 svchost.exe Token: SeCreatePagefilePrivilege 1272 svchost.exe Token: SeShutdownPrivilege 1272 svchost.exe Token: SeCreatePagefilePrivilege 1272 svchost.exe Token: SeShutdownPrivilege 1272 svchost.exe Token: SeCreatePagefilePrivilege 1272 svchost.exe Token: SeIncBasePriorityPrivilege 1364 10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe Token: SeBackupPrivilege 4460 TiWorker.exe Token: SeRestorePrivilege 4460 TiWorker.exe Token: SeSecurityPrivilege 4460 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.execmd.exedescription pid process target process PID 1364 wrote to memory of 1428 1364 10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe MediaCenter.exe PID 1364 wrote to memory of 1428 1364 10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe MediaCenter.exe PID 1364 wrote to memory of 1428 1364 10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe MediaCenter.exe PID 1364 wrote to memory of 1832 1364 10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe cmd.exe PID 1364 wrote to memory of 1832 1364 10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe cmd.exe PID 1364 wrote to memory of 1832 1364 10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe cmd.exe PID 1832 wrote to memory of 1168 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 1168 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 1168 1832 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe"C:\Users\Admin\AppData\Local\Temp\10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10f846418cf59a7e57cd32e9f85abc959b0e7b8b4480f334888451ce738a9362.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f5902b14e50c50d89a1afe7e26bfa9a5
SHA1787bb16cf9a9499891006023195cc1c6c666d054
SHA256ac2b47ebbef74c6d711bb01990ef6f0dc1d4b523b64788da1cdbb30969ed4cdf
SHA5124b3f3727a182d57b89f54f92598410b3e5e47d6dfd524b9c1cc41b45b49cc1f269a552adc3df6a4d71f48088d2ef2401d8ccc8fe6ba2c78385aca244d39d26c5
-
MD5
f5902b14e50c50d89a1afe7e26bfa9a5
SHA1787bb16cf9a9499891006023195cc1c6c666d054
SHA256ac2b47ebbef74c6d711bb01990ef6f0dc1d4b523b64788da1cdbb30969ed4cdf
SHA5124b3f3727a182d57b89f54f92598410b3e5e47d6dfd524b9c1cc41b45b49cc1f269a552adc3df6a4d71f48088d2ef2401d8ccc8fe6ba2c78385aca244d39d26c5