Analysis
-
max time kernel
154s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:15
Static task
static1
Behavioral task
behavioral1
Sample
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe
Resource
win10v2004-en-20220113
General
-
Target
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe
-
Size
100KB
-
MD5
83220c0cee35496c83893a9ff99eadfc
-
SHA1
c7888a1c62ca973566f14c76c25c7d508d7a5b58
-
SHA256
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed
-
SHA512
ee16ab75439c0bcdbeaa885a63c45ba1f2cb0b76f7cdaf430c2ffb407111789c4c4050cb895c5769239a072e0c957b5057f72467e20e5ebe7bc5a835fb985456
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3996 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3640 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe Token: SeShutdownPrivilege 2028 svchost.exe Token: SeCreatePagefilePrivilege 2028 svchost.exe Token: SeShutdownPrivilege 2028 svchost.exe Token: SeCreatePagefilePrivilege 2028 svchost.exe Token: SeShutdownPrivilege 2028 svchost.exe Token: SeCreatePagefilePrivilege 2028 svchost.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe Token: SeBackupPrivilege 516 TiWorker.exe Token: SeRestorePrivilege 516 TiWorker.exe Token: SeSecurityPrivilege 516 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.execmd.exedescription pid process target process PID 3640 wrote to memory of 3996 3640 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe MediaCenter.exe PID 3640 wrote to memory of 3996 3640 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe MediaCenter.exe PID 3640 wrote to memory of 3996 3640 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe MediaCenter.exe PID 3640 wrote to memory of 2572 3640 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe cmd.exe PID 3640 wrote to memory of 2572 3640 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe cmd.exe PID 3640 wrote to memory of 2572 3640 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe cmd.exe PID 2572 wrote to memory of 4836 2572 cmd.exe PING.EXE PID 2572 wrote to memory of 4836 2572 cmd.exe PING.EXE PID 2572 wrote to memory of 4836 2572 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe"C:\Users\Admin\AppData\Local\Temp\107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:516
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ec95c5aebeb103c45226f763349c3bd7
SHA1501f714c01279c97b6782af258177751d732bd0b
SHA2561f06e168dcc3044f3805c6c8a4fe3eea3e0d5efc45f66c7f60facc18352f9791
SHA5122a792090e975a6361b6764cddea385a9012c49463814cc0b50365594879dff41c497d594fe2f3e02ccd0b88885a22632752fb18f81d195accae1362f3cd868ce
-
MD5
ec95c5aebeb103c45226f763349c3bd7
SHA1501f714c01279c97b6782af258177751d732bd0b
SHA2561f06e168dcc3044f3805c6c8a4fe3eea3e0d5efc45f66c7f60facc18352f9791
SHA5122a792090e975a6361b6764cddea385a9012c49463814cc0b50365594879dff41c497d594fe2f3e02ccd0b88885a22632752fb18f81d195accae1362f3cd868ce