Analysis
-
max time kernel
153s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:52
Static task
static1
Behavioral task
behavioral1
Sample
1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe
Resource
win10v2004-en-20220113
General
-
Target
1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe
-
Size
120KB
-
MD5
65a5738b1afcda1fe774e82ce5ddf02f
-
SHA1
3bc156c7ee9111189067f5a0a9ffba588678cb56
-
SHA256
1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0
-
SHA512
43bb246d5e72a698f14fd437e7ea5f030126530c4175b15c49d678f5a9654eeb0fe3832c253b93d5dc6635b26180cac1ee95f07c8a3aa743507562eaf1abf8c0
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/892-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1108-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1108 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1512 svchost.exe Token: SeCreatePagefilePrivilege 1512 svchost.exe Token: SeShutdownPrivilege 1512 svchost.exe Token: SeCreatePagefilePrivilege 1512 svchost.exe Token: SeShutdownPrivilege 1512 svchost.exe Token: SeCreatePagefilePrivilege 1512 svchost.exe Token: SeIncBasePriorityPrivilege 892 1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe Token: SeBackupPrivilege 1772 TiWorker.exe Token: SeRestorePrivilege 1772 TiWorker.exe Token: SeSecurityPrivilege 1772 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.execmd.exedescription pid process target process PID 892 wrote to memory of 1108 892 1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe MediaCenter.exe PID 892 wrote to memory of 1108 892 1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe MediaCenter.exe PID 892 wrote to memory of 1108 892 1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe MediaCenter.exe PID 892 wrote to memory of 4800 892 1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe cmd.exe PID 892 wrote to memory of 4800 892 1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe cmd.exe PID 892 wrote to memory of 4800 892 1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe cmd.exe PID 4800 wrote to memory of 1168 4800 cmd.exe PING.EXE PID 4800 wrote to memory of 1168 4800 cmd.exe PING.EXE PID 4800 wrote to memory of 1168 4800 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe"C:\Users\Admin\AppData\Local\Temp\1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1699f7848879bf482969a42aed6922e9d1232f22344c8d08d79b7c176a7f4ab0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5c1e4294ad18fbb4a42d3a0568eff518
SHA11b2f170d044105606c5f1046388df2fae8691404
SHA256dae692d9694af587372f67c0f7d4d67e5da1f484c8bb2392600805a7e3bcea31
SHA512e3505c62e05ef1e39bd6d638fc3daa3bc4c686f5b48ffcc97e871280457a73561cbefeaaae33f34b28d6a59b41dd4d358df4ba535a8a9343d531b562287a884d
-
MD5
5c1e4294ad18fbb4a42d3a0568eff518
SHA11b2f170d044105606c5f1046388df2fae8691404
SHA256dae692d9694af587372f67c0f7d4d67e5da1f484c8bb2392600805a7e3bcea31
SHA512e3505c62e05ef1e39bd6d638fc3daa3bc4c686f5b48ffcc97e871280457a73561cbefeaaae33f34b28d6a59b41dd4d358df4ba535a8a9343d531b562287a884d