Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:22
Static task
static1
Behavioral task
behavioral1
Sample
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe
Resource
win10v2004-en-20220113
General
-
Target
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe
-
Size
176KB
-
MD5
b323d55ae29fbdebdb56faf23b965faa
-
SHA1
3a7aa445d3d457ce009aeed5d3818b43ee554f51
-
SHA256
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d
-
SHA512
f8cc514b7e27687ecc98cfceb884d42ff83826f0a15d520b57a979a63ceee4af4cb0872755bd43452564cffd402afe4e41345e94bed062b7d835a7487093a076
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2588-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/2808-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2808 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1836 svchost.exe Token: SeCreatePagefilePrivilege 1836 svchost.exe Token: SeShutdownPrivilege 1836 svchost.exe Token: SeCreatePagefilePrivilege 1836 svchost.exe Token: SeShutdownPrivilege 1836 svchost.exe Token: SeCreatePagefilePrivilege 1836 svchost.exe Token: SeIncBasePriorityPrivilege 2588 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe Token: SeBackupPrivilege 3120 TiWorker.exe Token: SeRestorePrivilege 3120 TiWorker.exe Token: SeSecurityPrivilege 3120 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.execmd.exedescription pid process target process PID 2588 wrote to memory of 2808 2588 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe MediaCenter.exe PID 2588 wrote to memory of 2808 2588 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe MediaCenter.exe PID 2588 wrote to memory of 2808 2588 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe MediaCenter.exe PID 2588 wrote to memory of 1280 2588 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe cmd.exe PID 2588 wrote to memory of 1280 2588 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe cmd.exe PID 2588 wrote to memory of 1280 2588 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe cmd.exe PID 1280 wrote to memory of 3736 1280 cmd.exe PING.EXE PID 1280 wrote to memory of 3736 1280 cmd.exe PING.EXE PID 1280 wrote to memory of 3736 1280 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe"C:\Users\Admin\AppData\Local\Temp\17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f0585d9516c6de6599df6ee35aa759fc
SHA1d6583044460765367ec6c3bdfb6f061e45af5914
SHA256e9666b1c4fa3e1106a22329b5748abff8c36eb8537d0081934b7c0e9966c524a
SHA5128a0cc8d354774c90f0c0098eae72700189f6fdf2e36ff67ace546cb940cb80df9a84bad548c689864c4ea88e58a9c7cc58ece43816a9cdb2b07bd23f303d25be
-
MD5
f0585d9516c6de6599df6ee35aa759fc
SHA1d6583044460765367ec6c3bdfb6f061e45af5914
SHA256e9666b1c4fa3e1106a22329b5748abff8c36eb8537d0081934b7c0e9966c524a
SHA5128a0cc8d354774c90f0c0098eae72700189f6fdf2e36ff67ace546cb940cb80df9a84bad548c689864c4ea88e58a9c7cc58ece43816a9cdb2b07bd23f303d25be