Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:23
Static task
static1
Behavioral task
behavioral1
Sample
17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exe
Resource
win10v2004-en-20220113
General
-
Target
17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exe
-
Size
92KB
-
MD5
12e276ddaea5c61bbd266620b196bf40
-
SHA1
ae04ea24bc8d6aa6fe93223298f034b6cf6a9eb5
-
SHA256
17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82
-
SHA512
81c449d2e4f9b99650ba81b544dec561b32d3b558d3d3249943628051006eb400605ae3cb55e6c594c49aaf494bfcc00ec7f2cfec91d8a70b51a96d959c440d1
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2388 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4040 svchost.exe Token: SeCreatePagefilePrivilege 4040 svchost.exe Token: SeShutdownPrivilege 4040 svchost.exe Token: SeCreatePagefilePrivilege 4040 svchost.exe Token: SeShutdownPrivilege 4040 svchost.exe Token: SeCreatePagefilePrivilege 4040 svchost.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe Token: SeRestorePrivilege 1952 TiWorker.exe Token: SeSecurityPrivilege 1952 TiWorker.exe Token: SeBackupPrivilege 1952 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.execmd.exedescription pid process target process PID 3976 wrote to memory of 2388 3976 17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exe MediaCenter.exe PID 3976 wrote to memory of 2388 3976 17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exe MediaCenter.exe PID 3976 wrote to memory of 2388 3976 17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exe MediaCenter.exe PID 3976 wrote to memory of 1480 3976 17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exe cmd.exe PID 3976 wrote to memory of 1480 3976 17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exe cmd.exe PID 3976 wrote to memory of 1480 3976 17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exe cmd.exe PID 1480 wrote to memory of 1684 1480 cmd.exe PING.EXE PID 1480 wrote to memory of 1684 1480 cmd.exe PING.EXE PID 1480 wrote to memory of 1684 1480 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exe"C:\Users\Admin\AppData\Local\Temp\17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17c04646f9c5aca8982218fdcad17b0e09afa309e523247ac11b5fec3e143e82.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
897dd450d069b7eab0ec5a41eb0f58ab
SHA11994ad5ba6230a52924beef22747292d63c0458d
SHA2566e380df9a653c559d228c3d482c0b940c6e54c118a2d31e51273e1af36aa6a71
SHA512a59e9e576d36596b66b903cbe50f93124df4de1049ee41e62abc3bb2ba9107a566ec23b44f63e4f345f269f1582319c56664552870d6a37fadcd025186074df0
-
MD5
897dd450d069b7eab0ec5a41eb0f58ab
SHA11994ad5ba6230a52924beef22747292d63c0458d
SHA2566e380df9a653c559d228c3d482c0b940c6e54c118a2d31e51273e1af36aa6a71
SHA512a59e9e576d36596b66b903cbe50f93124df4de1049ee41e62abc3bb2ba9107a566ec23b44f63e4f345f269f1582319c56664552870d6a37fadcd025186074df0