Analysis
-
max time kernel
133s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:06
Static task
static1
Behavioral task
behavioral1
Sample
10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe
Resource
win10v2004-en-20220113
General
-
Target
10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe
-
Size
99KB
-
MD5
096cbd7e6acf92f26803dea91a4b0101
-
SHA1
ff86efc2cc892759276f89d8b160828827d40741
-
SHA256
10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b
-
SHA512
757ec8a42b3d2cd41acc6174b73190bfae73555816e502112daf061f9b3ff197a8163145a8870f740f33b6064caabec1243d0b122bae781c5989b09d5ca27692
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4296 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1876 10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe Token: SeShutdownPrivilege 3164 svchost.exe Token: SeCreatePagefilePrivilege 3164 svchost.exe Token: SeShutdownPrivilege 3164 svchost.exe Token: SeCreatePagefilePrivilege 3164 svchost.exe Token: SeShutdownPrivilege 3164 svchost.exe Token: SeCreatePagefilePrivilege 3164 svchost.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.execmd.exedescription pid process target process PID 1876 wrote to memory of 4296 1876 10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe MediaCenter.exe PID 1876 wrote to memory of 4296 1876 10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe MediaCenter.exe PID 1876 wrote to memory of 4296 1876 10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe MediaCenter.exe PID 1876 wrote to memory of 4696 1876 10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe cmd.exe PID 1876 wrote to memory of 4696 1876 10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe cmd.exe PID 1876 wrote to memory of 4696 1876 10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe cmd.exe PID 4696 wrote to memory of 4444 4696 cmd.exe PING.EXE PID 4696 wrote to memory of 4444 4696 cmd.exe PING.EXE PID 4696 wrote to memory of 4444 4696 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe"C:\Users\Admin\AppData\Local\Temp\10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10de8620de63869a7c494a529289bce52d09057ef8ee475adf78b0c6a559de6b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4444
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
00d5aa375cd85132b482873ca5e4d56c
SHA1d2e92eecba89a7ab8b8f8ad9dcbbde0b053d981b
SHA2567a2eb478a77ec98bb6b39718ff8874b10b06b86699ea7a9f09a1e0587b1e419f
SHA512e8b32f586ee574b8b72ba72ec7599ecde98e4d930412a368c090cca2e4273dc5eca23458a96399fbeb7589f5d123fbba27266c8a9a9bf045f5933623d829dbf9
-
MD5
00d5aa375cd85132b482873ca5e4d56c
SHA1d2e92eecba89a7ab8b8f8ad9dcbbde0b053d981b
SHA2567a2eb478a77ec98bb6b39718ff8874b10b06b86699ea7a9f09a1e0587b1e419f
SHA512e8b32f586ee574b8b72ba72ec7599ecde98e4d930412a368c090cca2e4273dc5eca23458a96399fbeb7589f5d123fbba27266c8a9a9bf045f5933623d829dbf9