Analysis
-
max time kernel
142s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:53
Static task
static1
Behavioral task
behavioral1
Sample
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe
Resource
win10v2004-en-20220113
General
-
Target
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe
-
Size
216KB
-
MD5
565b15efd9cae3535ae9248ab8179be9
-
SHA1
b9b21ca10b7507d77dd10cc2fbd4acab4c15dc19
-
SHA256
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3
-
SHA512
29cec2523b2fbd40cc74f8a698f0fffd78bd4d72b209e8385432d9ec0eabfafc2622e899548b70497f985e741084587b79b218cc093a927f89f0d13829ab83ff
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3508-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/820-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 820 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2008 svchost.exe Token: SeCreatePagefilePrivilege 2008 svchost.exe Token: SeShutdownPrivilege 2008 svchost.exe Token: SeCreatePagefilePrivilege 2008 svchost.exe Token: SeShutdownPrivilege 2008 svchost.exe Token: SeCreatePagefilePrivilege 2008 svchost.exe Token: SeIncBasePriorityPrivilege 3508 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe Token: SeBackupPrivilege 4196 TiWorker.exe Token: SeRestorePrivilege 4196 TiWorker.exe Token: SeSecurityPrivilege 4196 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.execmd.exedescription pid process target process PID 3508 wrote to memory of 820 3508 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe MediaCenter.exe PID 3508 wrote to memory of 820 3508 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe MediaCenter.exe PID 3508 wrote to memory of 820 3508 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe MediaCenter.exe PID 3508 wrote to memory of 4004 3508 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe cmd.exe PID 3508 wrote to memory of 4004 3508 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe cmd.exe PID 3508 wrote to memory of 4004 3508 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe cmd.exe PID 4004 wrote to memory of 3644 4004 cmd.exe PING.EXE PID 4004 wrote to memory of 3644 4004 cmd.exe PING.EXE PID 4004 wrote to memory of 3644 4004 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe"C:\Users\Admin\AppData\Local\Temp\1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4196
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a2d67a0e9637dc28f3de7a2b19712ee3
SHA18ce6a31fb3195df53201ad25cc569c3200aa2967
SHA2560e03dda905fc6db5df6655c377cb336257180c633b92c700723d96aba6f568e3
SHA512aa03c1504f66867df529e2e73849bd03650437064b03b79f23b99d2d1819e6bfd390194a426d34ad10c6da1d23ce5b1fca8418420e1324f0090fccacef057603
-
MD5
a2d67a0e9637dc28f3de7a2b19712ee3
SHA18ce6a31fb3195df53201ad25cc569c3200aa2967
SHA2560e03dda905fc6db5df6655c377cb336257180c633b92c700723d96aba6f568e3
SHA512aa03c1504f66867df529e2e73849bd03650437064b03b79f23b99d2d1819e6bfd390194a426d34ad10c6da1d23ce5b1fca8418420e1324f0090fccacef057603