Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:54
Static task
static1
Behavioral task
behavioral1
Sample
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe
Resource
win10v2004-en-20220113
General
-
Target
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe
-
Size
216KB
-
MD5
add338167c776cd07b98eb511ff2b3e5
-
SHA1
87c9c30a64ccc7d6f7aad6a8700cc35761a16c5b
-
SHA256
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b
-
SHA512
f7ea3ffa22600ee1c207ad23fe70ad8bd858f7394c9ad3c7aa7779be80900b73541d6b49661f2f42a52339824b36b76121a1b7f2996da80199f4e3bed4934535
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4800-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/768-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 768 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4760 svchost.exe Token: SeCreatePagefilePrivilege 4760 svchost.exe Token: SeShutdownPrivilege 4760 svchost.exe Token: SeCreatePagefilePrivilege 4760 svchost.exe Token: SeShutdownPrivilege 4760 svchost.exe Token: SeCreatePagefilePrivilege 4760 svchost.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe Token: SeRestorePrivilege 4256 TiWorker.exe Token: SeSecurityPrivilege 4256 TiWorker.exe Token: SeBackupPrivilege 4256 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.execmd.exedescription pid process target process PID 4800 wrote to memory of 768 4800 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe MediaCenter.exe PID 4800 wrote to memory of 768 4800 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe MediaCenter.exe PID 4800 wrote to memory of 768 4800 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe MediaCenter.exe PID 4800 wrote to memory of 3712 4800 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe cmd.exe PID 4800 wrote to memory of 3712 4800 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe cmd.exe PID 4800 wrote to memory of 3712 4800 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe cmd.exe PID 3712 wrote to memory of 1912 3712 cmd.exe PING.EXE PID 3712 wrote to memory of 1912 3712 cmd.exe PING.EXE PID 3712 wrote to memory of 1912 3712 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe"C:\Users\Admin\AppData\Local\Temp\191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4256
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
82008e65d4a4655008e834873b8028ef
SHA141740b927b801a3c4a3a00a1371bbfbb9828ef56
SHA256faebb31ee4780785bd150ebff5896c74b4390f427665588f93f1eb1ab92fed0f
SHA5122a1300da4a85289d025dca8ff4f1e69c77a455dd4412bdc88415c2dd3cafb34939a6189aba88d0c85460e8400936da80342d0c709e46082f3cc58bee1bb1e982
-
MD5
82008e65d4a4655008e834873b8028ef
SHA141740b927b801a3c4a3a00a1371bbfbb9828ef56
SHA256faebb31ee4780785bd150ebff5896c74b4390f427665588f93f1eb1ab92fed0f
SHA5122a1300da4a85289d025dca8ff4f1e69c77a455dd4412bdc88415c2dd3cafb34939a6189aba88d0c85460e8400936da80342d0c709e46082f3cc58bee1bb1e982