Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:26
Static task
static1
Behavioral task
behavioral1
Sample
17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exe
Resource
win10v2004-en-20220113
General
-
Target
17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exe
-
Size
216KB
-
MD5
dc8c50b6baa94c09602f1e011573b1dc
-
SHA1
95e513cf79b0c726e27afcfab09364b53bc42e90
-
SHA256
17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554
-
SHA512
f27dd8d2609c240739b16b43bcfa8a2a0ce07674061f4b075dd7e1a0c2e8945c37e5e925b0e5de5a74b9b96bcb1ddefa7b17cf808be2beb057079a569348b513
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3388-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1808-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1808 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1328 svchost.exe Token: SeCreatePagefilePrivilege 1328 svchost.exe Token: SeShutdownPrivilege 1328 svchost.exe Token: SeCreatePagefilePrivilege 1328 svchost.exe Token: SeShutdownPrivilege 1328 svchost.exe Token: SeCreatePagefilePrivilege 1328 svchost.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.execmd.exedescription pid process target process PID 3388 wrote to memory of 1808 3388 17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exe MediaCenter.exe PID 3388 wrote to memory of 1808 3388 17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exe MediaCenter.exe PID 3388 wrote to memory of 1808 3388 17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exe MediaCenter.exe PID 3388 wrote to memory of 424 3388 17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exe cmd.exe PID 3388 wrote to memory of 424 3388 17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exe cmd.exe PID 3388 wrote to memory of 424 3388 17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exe cmd.exe PID 424 wrote to memory of 3392 424 cmd.exe PING.EXE PID 424 wrote to memory of 3392 424 cmd.exe PING.EXE PID 424 wrote to memory of 3392 424 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exe"C:\Users\Admin\AppData\Local\Temp\17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17a1c43ad76f9ab0ae009611562400157682386396cef8fc4bacdbb13a6e0554.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a0ee565517d2217df75b6983b9ca276e
SHA161a3cabe8f3b223cf3d96ee1c46c16d8ac94df80
SHA2562dad1c544be813b0dbaeabe4adacbd097ed9a23114c1edbccf2ac29fb931c4c5
SHA512fc4bf357916731f86e88baf545914af366c58dc02419394151b625b1f5b2db5c83ecdd68e3e69c151c3c37ab36f38ccab7b73a0f61f9b68d5be924c3129bb4a2
-
MD5
a0ee565517d2217df75b6983b9ca276e
SHA161a3cabe8f3b223cf3d96ee1c46c16d8ac94df80
SHA2562dad1c544be813b0dbaeabe4adacbd097ed9a23114c1edbccf2ac29fb931c4c5
SHA512fc4bf357916731f86e88baf545914af366c58dc02419394151b625b1f5b2db5c83ecdd68e3e69c151c3c37ab36f38ccab7b73a0f61f9b68d5be924c3129bb4a2