Analysis
-
max time kernel
158s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:14
Static task
static1
Behavioral task
behavioral1
Sample
10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe
Resource
win10v2004-en-20220113
General
-
Target
10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe
-
Size
216KB
-
MD5
358182eec28d565959f49a14783e5c89
-
SHA1
dc67a7e61fc74752ad700922ded0275c07b58d39
-
SHA256
10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019
-
SHA512
ab0144eb7bca3dc6f8252d6f8d7f37236017d7356c5c0ef422e429cc3b3ebc6984833b6ce3b2d772f296d04c52026f5987b4480573ee3da41a94537e22eac16b
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2748-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4416-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4416 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4648 svchost.exe Token: SeCreatePagefilePrivilege 4648 svchost.exe Token: SeShutdownPrivilege 4648 svchost.exe Token: SeCreatePagefilePrivilege 4648 svchost.exe Token: SeShutdownPrivilege 4648 svchost.exe Token: SeCreatePagefilePrivilege 4648 svchost.exe Token: SeIncBasePriorityPrivilege 2748 10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe Token: SeBackupPrivilege 1124 TiWorker.exe Token: SeRestorePrivilege 1124 TiWorker.exe Token: SeSecurityPrivilege 1124 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.execmd.exedescription pid process target process PID 2748 wrote to memory of 4416 2748 10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe MediaCenter.exe PID 2748 wrote to memory of 4416 2748 10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe MediaCenter.exe PID 2748 wrote to memory of 4416 2748 10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe MediaCenter.exe PID 2748 wrote to memory of 852 2748 10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe cmd.exe PID 2748 wrote to memory of 852 2748 10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe cmd.exe PID 2748 wrote to memory of 852 2748 10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe cmd.exe PID 852 wrote to memory of 3356 852 cmd.exe PING.EXE PID 852 wrote to memory of 3356 852 cmd.exe PING.EXE PID 852 wrote to memory of 3356 852 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe"C:\Users\Admin\AppData\Local\Temp\10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10840bc7ae3c97f43e9eb6f5d94e6eeada279590e427e5da77909ba67c370019.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1124
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
79b06a279a36b9cdf6dafecba0476a11
SHA17eab4b7ed2072b3a0d8f01cc5c0f609de3a0c48b
SHA25621aaaba80a4ac887bf6b617149a7a0f4c566a31507fe314025e938862be0024f
SHA51270c040ad0b3a7f493057fbf2974c46cd80978b0c20b30c060c2c142e611fd71dd9c91ea2282e9dcd6e7e1b9a1d7f9f2c0b454d5d310e10968502cf0bb8c0246c
-
MD5
79b06a279a36b9cdf6dafecba0476a11
SHA17eab4b7ed2072b3a0d8f01cc5c0f609de3a0c48b
SHA25621aaaba80a4ac887bf6b617149a7a0f4c566a31507fe314025e938862be0024f
SHA51270c040ad0b3a7f493057fbf2974c46cd80978b0c20b30c060c2c142e611fd71dd9c91ea2282e9dcd6e7e1b9a1d7f9f2c0b454d5d310e10968502cf0bb8c0246c