Analysis
-
max time kernel
135s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:35
Static task
static1
Behavioral task
behavioral1
Sample
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe
Resource
win10v2004-en-20220113
General
-
Target
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe
-
Size
216KB
-
MD5
5a816b8bb6ac5fcbaaa405cd1ed4ad52
-
SHA1
4d3474acc3633d48aeca5624dc0151eae0f36ff4
-
SHA256
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5
-
SHA512
a0fe5c967bd35b85fc76d5ae80e75032f306955de0b2ea1073aa04a0b80430153f6c5cdaa3a4ba88a6eb670c09317059a1d0ca1ea85dcb9d4bac5b28c98ac119
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1852-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4260-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4260 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3676 svchost.exe Token: SeCreatePagefilePrivilege 3676 svchost.exe Token: SeShutdownPrivilege 3676 svchost.exe Token: SeCreatePagefilePrivilege 3676 svchost.exe Token: SeShutdownPrivilege 3676 svchost.exe Token: SeCreatePagefilePrivilege 3676 svchost.exe Token: SeIncBasePriorityPrivilege 1852 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe Token: SeBackupPrivilege 2416 TiWorker.exe Token: SeRestorePrivilege 2416 TiWorker.exe Token: SeSecurityPrivilege 2416 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.execmd.exedescription pid process target process PID 1852 wrote to memory of 4260 1852 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe MediaCenter.exe PID 1852 wrote to memory of 4260 1852 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe MediaCenter.exe PID 1852 wrote to memory of 4260 1852 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe MediaCenter.exe PID 1852 wrote to memory of 1700 1852 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe cmd.exe PID 1852 wrote to memory of 1700 1852 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe cmd.exe PID 1852 wrote to memory of 1700 1852 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe cmd.exe PID 1700 wrote to memory of 2116 1700 cmd.exe PING.EXE PID 1700 wrote to memory of 2116 1700 cmd.exe PING.EXE PID 1700 wrote to memory of 2116 1700 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe"C:\Users\Admin\AppData\Local\Temp\1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
089f82c120cddf082c9ce7601a8b6072
SHA1b95969acb44ce0dafeb89a46d482e0b22b09fcfe
SHA256c7bd896886aba86a891e057d67d8a2c56bcd86b949c81abdc58b04a703eab7c1
SHA512eb2b02ad155c6f2c5e2ed30da78a279c65109c27f39be3d18b533f8bc00826c3b5fd8534e9baee91094f21a9ec316f1c0fc76a8bbf2c789c4fc54ac5bac4f994
-
MD5
089f82c120cddf082c9ce7601a8b6072
SHA1b95969acb44ce0dafeb89a46d482e0b22b09fcfe
SHA256c7bd896886aba86a891e057d67d8a2c56bcd86b949c81abdc58b04a703eab7c1
SHA512eb2b02ad155c6f2c5e2ed30da78a279c65109c27f39be3d18b533f8bc00826c3b5fd8534e9baee91094f21a9ec316f1c0fc76a8bbf2c789c4fc54ac5bac4f994