Analysis
-
max time kernel
144s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:12
Static task
static1
Behavioral task
behavioral1
Sample
109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exe
Resource
win10v2004-en-20220113
General
-
Target
109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exe
-
Size
101KB
-
MD5
2d8686cfe567e499c17df6ef78081a2a
-
SHA1
86e2799624a3d35e22da63c2336d4cd2a074cc7e
-
SHA256
109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f
-
SHA512
aefea4e0caf62283dfd828af5ea52dc0ad662836ff737b2e9604a0267b2d78cc55e91d5e1798834c2987e35beb267d0167583a14a825593498ed1bb582d408ad
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3348 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 860 svchost.exe Token: SeCreatePagefilePrivilege 860 svchost.exe Token: SeShutdownPrivilege 860 svchost.exe Token: SeCreatePagefilePrivilege 860 svchost.exe Token: SeShutdownPrivilege 860 svchost.exe Token: SeCreatePagefilePrivilege 860 svchost.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe Token: SeRestorePrivilege 4180 TiWorker.exe Token: SeSecurityPrivilege 4180 TiWorker.exe Token: SeBackupPrivilege 4180 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.execmd.exedescription pid process target process PID 3396 wrote to memory of 3348 3396 109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exe MediaCenter.exe PID 3396 wrote to memory of 3348 3396 109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exe MediaCenter.exe PID 3396 wrote to memory of 3348 3396 109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exe MediaCenter.exe PID 3396 wrote to memory of 4752 3396 109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exe cmd.exe PID 3396 wrote to memory of 4752 3396 109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exe cmd.exe PID 3396 wrote to memory of 4752 3396 109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exe cmd.exe PID 4752 wrote to memory of 4808 4752 cmd.exe PING.EXE PID 4752 wrote to memory of 4808 4752 cmd.exe PING.EXE PID 4752 wrote to memory of 4808 4752 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exe"C:\Users\Admin\AppData\Local\Temp\109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\109c8fbe674b08ed757a57149a55b4947cd39508a03721ea00de2a283d9c782f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:860
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f0fb6f2bbbed809f0182edef15efb17b
SHA1c7e8c13db45fd8d9059034344044fb127438f628
SHA25636355f56226f30f7c0a02dbacd11f05d1281fe4a2dd7e11f09bf1f4272024c06
SHA5124c79a074d5c83ce486a7219ddaa15bb94da026cc37eeda45e4c9c117271ea382b8a639fd25fe67d5a82ae2fc96dc4c254ad19d3e2f555c8f5c1fb2583794d415
-
MD5
f0fb6f2bbbed809f0182edef15efb17b
SHA1c7e8c13db45fd8d9059034344044fb127438f628
SHA25636355f56226f30f7c0a02dbacd11f05d1281fe4a2dd7e11f09bf1f4272024c06
SHA5124c79a074d5c83ce486a7219ddaa15bb94da026cc37eeda45e4c9c117271ea382b8a639fd25fe67d5a82ae2fc96dc4c254ad19d3e2f555c8f5c1fb2583794d415