Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:22
Static task
static1
Behavioral task
behavioral1
Sample
17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exe
Resource
win10v2004-en-20220113
General
-
Target
17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exe
-
Size
191KB
-
MD5
9fe69e61962d1b68a94cafa9867667e3
-
SHA1
d16ed25a09112edbe73b708889aa60f8fa315ee7
-
SHA256
17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e
-
SHA512
00b4d223836906a4a960940ef6e16a922115cd5b7033c177c050c34aa6cd9c703d9ca6c7dfd578e596dfe1fde43819f6a3c7f27551c0b0d020cb7d2fe8f6e308
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1448 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1292 svchost.exe Token: SeCreatePagefilePrivilege 1292 svchost.exe Token: SeShutdownPrivilege 1292 svchost.exe Token: SeCreatePagefilePrivilege 1292 svchost.exe Token: SeShutdownPrivilege 1292 svchost.exe Token: SeCreatePagefilePrivilege 1292 svchost.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.execmd.exedescription pid process target process PID 3500 wrote to memory of 1448 3500 17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exe MediaCenter.exe PID 3500 wrote to memory of 1448 3500 17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exe MediaCenter.exe PID 3500 wrote to memory of 1448 3500 17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exe MediaCenter.exe PID 3500 wrote to memory of 1120 3500 17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exe cmd.exe PID 3500 wrote to memory of 1120 3500 17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exe cmd.exe PID 3500 wrote to memory of 1120 3500 17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exe cmd.exe PID 1120 wrote to memory of 1816 1120 cmd.exe PING.EXE PID 1120 wrote to memory of 1816 1120 cmd.exe PING.EXE PID 1120 wrote to memory of 1816 1120 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exe"C:\Users\Admin\AppData\Local\Temp\17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17caf649a5d55892ea756e991881bddc22620b467a930ce4412f7ee5fbb01c2e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:216
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9782427e5eab8233dc24251cd8e63576
SHA138edd03a6444e8b937603592ad7aa81edddaafd0
SHA2567169d0e26f688377086993000fd2fabb9fd0c7119af2c3535a6a5f23c2b70fff
SHA51212b6c02aeec6923f14f401955ac130f899f4608deae4b4d2b93c6e392df0f94c8c2880e78dd2aa14acf2e2d87abecfde0da1c993f3323a08c4271bb17e93a11b
-
MD5
9782427e5eab8233dc24251cd8e63576
SHA138edd03a6444e8b937603592ad7aa81edddaafd0
SHA2567169d0e26f688377086993000fd2fabb9fd0c7119af2c3535a6a5f23c2b70fff
SHA51212b6c02aeec6923f14f401955ac130f899f4608deae4b4d2b93c6e392df0f94c8c2880e78dd2aa14acf2e2d87abecfde0da1c993f3323a08c4271bb17e93a11b