Analysis
-
max time kernel
158s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:06
Static task
static1
Behavioral task
behavioral1
Sample
10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe
Resource
win10v2004-en-20220113
General
-
Target
10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe
-
Size
192KB
-
MD5
11a173a32cf17a8e9a56a653401f18ce
-
SHA1
50578ae584965e0fad3acaf8b26932846f622156
-
SHA256
10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449
-
SHA512
ed0a73650ea5e37e1a5a34f92fc4e8931dc4c338ab8c5518492b6f89a71f443d1fc4c69a0e3b7c7866d4c19873c4a1d87ebdba8c8ef8bdae0c6cdcbd9eff08c6
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4892 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1104 svchost.exe Token: SeCreatePagefilePrivilege 1104 svchost.exe Token: SeShutdownPrivilege 1104 svchost.exe Token: SeCreatePagefilePrivilege 1104 svchost.exe Token: SeShutdownPrivilege 1104 svchost.exe Token: SeCreatePagefilePrivilege 1104 svchost.exe Token: SeIncBasePriorityPrivilege 3228 10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe Token: SeBackupPrivilege 4088 TiWorker.exe Token: SeRestorePrivilege 4088 TiWorker.exe Token: SeSecurityPrivilege 4088 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.execmd.exedescription pid process target process PID 3228 wrote to memory of 4892 3228 10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe MediaCenter.exe PID 3228 wrote to memory of 4892 3228 10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe MediaCenter.exe PID 3228 wrote to memory of 4892 3228 10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe MediaCenter.exe PID 3228 wrote to memory of 4112 3228 10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe cmd.exe PID 3228 wrote to memory of 4112 3228 10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe cmd.exe PID 3228 wrote to memory of 4112 3228 10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe cmd.exe PID 4112 wrote to memory of 5108 4112 cmd.exe PING.EXE PID 4112 wrote to memory of 5108 4112 cmd.exe PING.EXE PID 4112 wrote to memory of 5108 4112 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe"C:\Users\Admin\AppData\Local\Temp\10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10df52f6e02ee88b2ffb36bc501b7f062e904ebea190d66143ebf0d35c0ea449.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
550fff0261fbfb505428c70909044993
SHA1e89f29770efcaa2c1fe5e1e1da677b4df621b0e6
SHA256f3d3da630f6c8ec20f662504a22c7900d6bfc78d17ac2dd23e8d8af285764fc4
SHA512b5bd24ec63980081483ff6dd92d873d53adc7c915b9499f5063cb34d8799846e2988f7ae7e70913362cee5060ff38862705eeae33ed515b411148f00dae143c5
-
MD5
550fff0261fbfb505428c70909044993
SHA1e89f29770efcaa2c1fe5e1e1da677b4df621b0e6
SHA256f3d3da630f6c8ec20f662504a22c7900d6bfc78d17ac2dd23e8d8af285764fc4
SHA512b5bd24ec63980081483ff6dd92d873d53adc7c915b9499f5063cb34d8799846e2988f7ae7e70913362cee5060ff38862705eeae33ed515b411148f00dae143c5