Analysis
-
max time kernel
135s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:13
Static task
static1
Behavioral task
behavioral1
Sample
15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe
Resource
win10v2004-en-20220113
General
-
Target
15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe
-
Size
216KB
-
MD5
de492258e8f2675c81457cc6419e5c57
-
SHA1
99a4c4063991d71735f9ed76868ad62d3d009beb
-
SHA256
15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8
-
SHA512
50d9e439998b6cd9c8a36ea75d267a9f5de60891fcd4cb6a578b0e871e190eb2e1c2726adf7d6058c056361ab48e3315ee91ed93a3e5813d47c3009b7af3771e
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2288-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/2024-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2024 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exedescription pid process Token: SeShutdownPrivilege 2672 svchost.exe Token: SeCreatePagefilePrivilege 2672 svchost.exe Token: SeShutdownPrivilege 2672 svchost.exe Token: SeCreatePagefilePrivilege 2672 svchost.exe Token: SeShutdownPrivilege 2672 svchost.exe Token: SeCreatePagefilePrivilege 2672 svchost.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeIncBasePriorityPrivilege 2288 15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe Token: SeBackupPrivilege 3648 TiWorker.exe Token: SeRestorePrivilege 3648 TiWorker.exe Token: SeSecurityPrivilege 3648 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.execmd.exedescription pid process target process PID 2288 wrote to memory of 2024 2288 15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe MediaCenter.exe PID 2288 wrote to memory of 2024 2288 15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe MediaCenter.exe PID 2288 wrote to memory of 2024 2288 15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe MediaCenter.exe PID 2288 wrote to memory of 2084 2288 15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe cmd.exe PID 2288 wrote to memory of 2084 2288 15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe cmd.exe PID 2288 wrote to memory of 2084 2288 15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe cmd.exe PID 2084 wrote to memory of 2996 2084 cmd.exe PING.EXE PID 2084 wrote to memory of 2996 2084 cmd.exe PING.EXE PID 2084 wrote to memory of 2996 2084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe"C:\Users\Admin\AppData\Local\Temp\15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15ca252104e61093d9cb29552fc4e3bdfb46980623f63c631afe5136f04040e8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
81167d68af2ced6c794ad6904442607f
SHA1f6b7ee314aba8b353b095a92c09771209e34c52f
SHA256ecc2288411a87c131ddf56572f9a530e91d685db3084b05e9ad480620365655c
SHA5126027111c4b8212b0a94a10b8be13a3fdf8b1a95eb07c23efda2b7a1a1340c7faf68fea6d7903d790f4d092c6b762343eb51204454686ec463354198e67123d2c
-
MD5
81167d68af2ced6c794ad6904442607f
SHA1f6b7ee314aba8b353b095a92c09771209e34c52f
SHA256ecc2288411a87c131ddf56572f9a530e91d685db3084b05e9ad480620365655c
SHA5126027111c4b8212b0a94a10b8be13a3fdf8b1a95eb07c23efda2b7a1a1340c7faf68fea6d7903d790f4d092c6b762343eb51204454686ec463354198e67123d2c