Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:24
Static task
static1
Behavioral task
behavioral1
Sample
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe
Resource
win10v2004-en-20220113
General
-
Target
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe
-
Size
200KB
-
MD5
c56e916cd6b485bf3a3583b66312ea66
-
SHA1
6eb675a1dd38606a51a71d3dd6cb6f376ce5b725
-
SHA256
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43
-
SHA512
8e130ccf473fc8b0504ebd18eaef80c5cd7d36fe7b30e77b4c84f5e8cd4866e0e0a123977602716f8ac377174ac10138b80fc449216f4f61faf284d729d427cb
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3936-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/396-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 396 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2584 svchost.exe Token: SeCreatePagefilePrivilege 2584 svchost.exe Token: SeShutdownPrivilege 2584 svchost.exe Token: SeCreatePagefilePrivilege 2584 svchost.exe Token: SeShutdownPrivilege 2584 svchost.exe Token: SeCreatePagefilePrivilege 2584 svchost.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe Token: SeRestorePrivilege 3580 TiWorker.exe Token: SeSecurityPrivilege 3580 TiWorker.exe Token: SeBackupPrivilege 3580 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.execmd.exedescription pid process target process PID 3936 wrote to memory of 396 3936 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe MediaCenter.exe PID 3936 wrote to memory of 396 3936 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe MediaCenter.exe PID 3936 wrote to memory of 396 3936 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe MediaCenter.exe PID 3936 wrote to memory of 4984 3936 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe cmd.exe PID 3936 wrote to memory of 4984 3936 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe cmd.exe PID 3936 wrote to memory of 4984 3936 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe cmd.exe PID 4984 wrote to memory of 2932 4984 cmd.exe PING.EXE PID 4984 wrote to memory of 2932 4984 cmd.exe PING.EXE PID 4984 wrote to memory of 2932 4984 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe"C:\Users\Admin\AppData\Local\Temp\17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bdc52cc06fbff136024ebf58e461d9a9
SHA1a441a5c5b38c5b71c0f87c782b9669986379584e
SHA2569f9b9ae4d9b02598c951bf3b88e2446d4654f1bdfaba80237c2fd44ae663b6d7
SHA5121ebc69dd34e862b51254274a02e5cb3b4cd3b1177a6283460ab3cf6c4dd85b241c92b6a6cd17a3a02f2f61146c6eb57e0bd3e23bbc3e2dc15fd13ee64e3d58aa
-
MD5
bdc52cc06fbff136024ebf58e461d9a9
SHA1a441a5c5b38c5b71c0f87c782b9669986379584e
SHA2569f9b9ae4d9b02598c951bf3b88e2446d4654f1bdfaba80237c2fd44ae663b6d7
SHA5121ebc69dd34e862b51254274a02e5cb3b4cd3b1177a6283460ab3cf6c4dd85b241c92b6a6cd17a3a02f2f61146c6eb57e0bd3e23bbc3e2dc15fd13ee64e3d58aa