Analysis
-
max time kernel
146s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:25
Static task
static1
Behavioral task
behavioral1
Sample
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe
Resource
win10v2004-en-20220113
General
-
Target
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe
-
Size
89KB
-
MD5
d564e67e8cc4bee4200f7aa5c6d244b3
-
SHA1
d07cde44cf51683baa350dd1128d4df609f0e3ec
-
SHA256
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115
-
SHA512
c78389cf2c48a531e3e04e5e729495cf6fba1d7a3398eae10c99a33debe6d1a9e0ef37476718052803526f6d2d789076f10f354d7cf05535a7712395c58da0c7
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4644-135-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral2/memory/4892-136-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4892 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4568 svchost.exe Token: SeCreatePagefilePrivilege 4568 svchost.exe Token: SeShutdownPrivilege 4568 svchost.exe Token: SeCreatePagefilePrivilege 4568 svchost.exe Token: SeShutdownPrivilege 4568 svchost.exe Token: SeCreatePagefilePrivilege 4568 svchost.exe Token: SeIncBasePriorityPrivilege 4644 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.execmd.exedescription pid process target process PID 4644 wrote to memory of 4892 4644 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe MediaCenter.exe PID 4644 wrote to memory of 4892 4644 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe MediaCenter.exe PID 4644 wrote to memory of 4892 4644 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe MediaCenter.exe PID 4644 wrote to memory of 4148 4644 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe cmd.exe PID 4644 wrote to memory of 4148 4644 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe cmd.exe PID 4644 wrote to memory of 4148 4644 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe cmd.exe PID 4148 wrote to memory of 3024 4148 cmd.exe PING.EXE PID 4148 wrote to memory of 3024 4148 cmd.exe PING.EXE PID 4148 wrote to memory of 3024 4148 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe"C:\Users\Admin\AppData\Local\Temp\100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7e0d48868d47588e10fc230b332cfee4
SHA1de0fcf094df6979324b718919c9ece3b4d663ab1
SHA2565a18db8593765b49874585326917e3a15c99d3de6e283214187459a713295aa9
SHA512ebb63e1545de9e0a4a3dc760d4ad8e05e9990cacf474f42c2390adc6f850b7c455aa2f72ce3fc7ff84c0785f58ce741f05d9f928df8cd0dc256d2c6568cfee5f
-
MD5
7e0d48868d47588e10fc230b332cfee4
SHA1de0fcf094df6979324b718919c9ece3b4d663ab1
SHA2565a18db8593765b49874585326917e3a15c99d3de6e283214187459a713295aa9
SHA512ebb63e1545de9e0a4a3dc760d4ad8e05e9990cacf474f42c2390adc6f850b7c455aa2f72ce3fc7ff84c0785f58ce741f05d9f928df8cd0dc256d2c6568cfee5f