Analysis
-
max time kernel
158s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:06
Static task
static1
Behavioral task
behavioral1
Sample
160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe
Resource
win10v2004-en-20220113
General
-
Target
160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe
-
Size
184KB
-
MD5
ac57a33099ed8d5c57bd46e96b7c9313
-
SHA1
1e3f5e5c31bcb9d1d7630d2ac4b0270b0688c660
-
SHA256
160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836
-
SHA512
5018338463bad52c8b8c383af92dac52e1e5a8cd30adf62978c6e020ebddf8f2377892285996bdb03984ea6293b0baf0392777aa0dac2396b15c4aec1b83714a
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4928-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4528-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4528 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 208 svchost.exe Token: SeCreatePagefilePrivilege 208 svchost.exe Token: SeShutdownPrivilege 208 svchost.exe Token: SeCreatePagefilePrivilege 208 svchost.exe Token: SeShutdownPrivilege 208 svchost.exe Token: SeCreatePagefilePrivilege 208 svchost.exe Token: SeIncBasePriorityPrivilege 4928 160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe Token: SeBackupPrivilege 4344 TiWorker.exe Token: SeRestorePrivilege 4344 TiWorker.exe Token: SeSecurityPrivilege 4344 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.execmd.exedescription pid process target process PID 4928 wrote to memory of 4528 4928 160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe MediaCenter.exe PID 4928 wrote to memory of 4528 4928 160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe MediaCenter.exe PID 4928 wrote to memory of 4528 4928 160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe MediaCenter.exe PID 4928 wrote to memory of 2556 4928 160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe cmd.exe PID 4928 wrote to memory of 2556 4928 160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe cmd.exe PID 4928 wrote to memory of 2556 4928 160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe cmd.exe PID 2556 wrote to memory of 676 2556 cmd.exe PING.EXE PID 2556 wrote to memory of 676 2556 cmd.exe PING.EXE PID 2556 wrote to memory of 676 2556 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe"C:\Users\Admin\AppData\Local\Temp\160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:208
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4344
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
55202aee46254792c393f0c1c10bc7d2
SHA1ff89ec486ff9d10d411b6454921dc019f4a022f0
SHA256515244f49110e44115bfde0da78702f0287ea797d5a2b9514289a885cf72d7c0
SHA5128cefac1c46f8eda10f8d66b50579f06f9cfbf4dc0e55aaacd54555a68e1024e45b5293b0a0bf78e956b89eb54cfb38d30ba39a481c343516f0773cf26d4ab973
-
MD5
55202aee46254792c393f0c1c10bc7d2
SHA1ff89ec486ff9d10d411b6454921dc019f4a022f0
SHA256515244f49110e44115bfde0da78702f0287ea797d5a2b9514289a885cf72d7c0
SHA5128cefac1c46f8eda10f8d66b50579f06f9cfbf4dc0e55aaacd54555a68e1024e45b5293b0a0bf78e956b89eb54cfb38d30ba39a481c343516f0773cf26d4ab973