Analysis
-
max time kernel
154s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:23
Static task
static1
Behavioral task
behavioral1
Sample
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe
Resource
win10v2004-en-20220113
General
-
Target
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe
-
Size
172KB
-
MD5
00eebad47b12282a057f7b6f9696910c
-
SHA1
39595bb93837ae147e191654c8dfdb0950456239
-
SHA256
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47
-
SHA512
b8aa1fd57e6cd15e4dd17d75287711ea50445651106818778b8a5b222af588a59f4be9de0790a89e7e0b00be1bcd5db9554ff80710f314d983f584edb240dd19
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4336-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/3108-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3108 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 396 svchost.exe Token: SeCreatePagefilePrivilege 396 svchost.exe Token: SeShutdownPrivilege 396 svchost.exe Token: SeCreatePagefilePrivilege 396 svchost.exe Token: SeShutdownPrivilege 396 svchost.exe Token: SeCreatePagefilePrivilege 396 svchost.exe Token: SeIncBasePriorityPrivilege 4336 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe Token: SeBackupPrivilege 3104 TiWorker.exe Token: SeRestorePrivilege 3104 TiWorker.exe Token: SeSecurityPrivilege 3104 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.execmd.exedescription pid process target process PID 4336 wrote to memory of 3108 4336 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe MediaCenter.exe PID 4336 wrote to memory of 3108 4336 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe MediaCenter.exe PID 4336 wrote to memory of 3108 4336 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe MediaCenter.exe PID 4336 wrote to memory of 1800 4336 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe cmd.exe PID 4336 wrote to memory of 1800 4336 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe cmd.exe PID 4336 wrote to memory of 1800 4336 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe cmd.exe PID 1800 wrote to memory of 1496 1800 cmd.exe PING.EXE PID 1800 wrote to memory of 1496 1800 cmd.exe PING.EXE PID 1800 wrote to memory of 1496 1800 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe"C:\Users\Admin\AppData\Local\Temp\12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:396
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7253f704ef8134fbde0eeaf97bc030cc
SHA16bd8a6100a04444f7fc255df63f708b377b8a48c
SHA256eb9f3bf13ca948454731e9e14dbb1d459ab8a96c5ca15f1f635827ae1a6ee8fc
SHA5122a3bd119875900de4786d0a0c5214d5d5a4cc924767a6f3f296d115f8ea1cb0ee2f750b5d3e2546c7b65f42cefbb75f41c386e0155681f5d8923601bc4392cc3
-
MD5
7253f704ef8134fbde0eeaf97bc030cc
SHA16bd8a6100a04444f7fc255df63f708b377b8a48c
SHA256eb9f3bf13ca948454731e9e14dbb1d459ab8a96c5ca15f1f635827ae1a6ee8fc
SHA5122a3bd119875900de4786d0a0c5214d5d5a4cc924767a6f3f296d115f8ea1cb0ee2f750b5d3e2546c7b65f42cefbb75f41c386e0155681f5d8923601bc4392cc3