Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:51
Static task
static1
Behavioral task
behavioral1
Sample
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe
Resource
win10v2004-en-20220113
General
-
Target
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe
-
Size
176KB
-
MD5
30eeb2c745769f3d427646c69829b026
-
SHA1
45046f21b09c2b327f65a37d35c1d089701d9d30
-
SHA256
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17
-
SHA512
b42cb2e3e6f0c210e97ded293909c3733f65b2d0076592936c4a092328fd313e569a33e2e1a2e6c3216e731d9274589e0ca08a682d939ce57bf97829ed168795
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4636-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/3508-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3508 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 432 svchost.exe Token: SeCreatePagefilePrivilege 432 svchost.exe Token: SeShutdownPrivilege 432 svchost.exe Token: SeCreatePagefilePrivilege 432 svchost.exe Token: SeShutdownPrivilege 432 svchost.exe Token: SeCreatePagefilePrivilege 432 svchost.exe Token: SeIncBasePriorityPrivilege 4636 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe Token: SeBackupPrivilege 2308 TiWorker.exe Token: SeRestorePrivilege 2308 TiWorker.exe Token: SeSecurityPrivilege 2308 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.execmd.exedescription pid process target process PID 4636 wrote to memory of 3508 4636 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe MediaCenter.exe PID 4636 wrote to memory of 3508 4636 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe MediaCenter.exe PID 4636 wrote to memory of 3508 4636 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe MediaCenter.exe PID 4636 wrote to memory of 3712 4636 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe cmd.exe PID 4636 wrote to memory of 3712 4636 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe cmd.exe PID 4636 wrote to memory of 3712 4636 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe cmd.exe PID 3712 wrote to memory of 3604 3712 cmd.exe PING.EXE PID 3712 wrote to memory of 3604 3712 cmd.exe PING.EXE PID 3712 wrote to memory of 3604 3712 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe"C:\Users\Admin\AppData\Local\Temp\1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3604
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:432
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
69b646a8752423162449cf689f54ccfa
SHA15c566c11b6a90237006336afe01fa89c0245d872
SHA2563067bee6da2b16674f4964e350fabe94b228c75f716a4bbc10da43662bf6e6f2
SHA5128e6c0f7d2fcf133af3fa306733912132627903adaf8f745e88fc2089a5f2f1075b7a43f874c32302da31dea81447b3415b8a12bb58b7aba87557604691fa2c1b
-
MD5
69b646a8752423162449cf689f54ccfa
SHA15c566c11b6a90237006336afe01fa89c0245d872
SHA2563067bee6da2b16674f4964e350fabe94b228c75f716a4bbc10da43662bf6e6f2
SHA5128e6c0f7d2fcf133af3fa306733912132627903adaf8f745e88fc2089a5f2f1075b7a43f874c32302da31dea81447b3415b8a12bb58b7aba87557604691fa2c1b