Analysis
-
max time kernel
115s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:50
Static task
static1
Behavioral task
behavioral1
Sample
195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exe
Resource
win10v2004-en-20220113
General
-
Target
195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exe
-
Size
36KB
-
MD5
9cde14dc0aebafb60af5a67654cb84a8
-
SHA1
5316dfbcb178e438f869746ca8a2edd4a2491c5c
-
SHA256
195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b
-
SHA512
af88ed25d6dbea45725d7cedc422f0fc83e5ba7f2a2478b3d2408305d8858c8aa5b533817073a3e6354578c988424adbb0d9dd0e8356a24dc1f6269ab913e082
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5000-130-0x0000000000C80000-0x0000000000C99000-memory.dmp family_sakula behavioral2/memory/404-133-0x0000000000D60000-0x0000000000D79000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 404 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1528 svchost.exe Token: SeCreatePagefilePrivilege 1528 svchost.exe Token: SeShutdownPrivilege 1528 svchost.exe Token: SeCreatePagefilePrivilege 1528 svchost.exe Token: SeShutdownPrivilege 1528 svchost.exe Token: SeCreatePagefilePrivilege 1528 svchost.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.execmd.exedescription pid process target process PID 5000 wrote to memory of 404 5000 195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exe MediaCenter.exe PID 5000 wrote to memory of 404 5000 195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exe MediaCenter.exe PID 5000 wrote to memory of 404 5000 195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exe MediaCenter.exe PID 5000 wrote to memory of 4976 5000 195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exe cmd.exe PID 5000 wrote to memory of 4976 5000 195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exe cmd.exe PID 5000 wrote to memory of 4976 5000 195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exe cmd.exe PID 4976 wrote to memory of 2164 4976 cmd.exe PING.EXE PID 4976 wrote to memory of 2164 4976 cmd.exe PING.EXE PID 4976 wrote to memory of 2164 4976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exe"C:\Users\Admin\AppData\Local\Temp\195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\195491404eb4efbfe301716bd004a65b5f5f900a759126b01e5ba789cf51fc5b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ee8b0f935d4bfe55173b37abd121721b
SHA10be44c2f36d7f85330c02cb2966dbaf116bdcfaa
SHA25625a693b756c41f21a1099e8657234de051837b2e8a1da42c1fab0194cf8389e9
SHA512c6be737c238e69f2c41e839400db3363c3d9b6eda4d1404d0a63743fdf73559706a68731a3ab90140f32bea061bc850ef4632d38d49813158f80f28c97723c2e
-
MD5
ee8b0f935d4bfe55173b37abd121721b
SHA10be44c2f36d7f85330c02cb2966dbaf116bdcfaa
SHA25625a693b756c41f21a1099e8657234de051837b2e8a1da42c1fab0194cf8389e9
SHA512c6be737c238e69f2c41e839400db3363c3d9b6eda4d1404d0a63743fdf73559706a68731a3ab90140f32bea061bc850ef4632d38d49813158f80f28c97723c2e