Analysis
-
max time kernel
160s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:49
Static task
static1
Behavioral task
behavioral1
Sample
08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe
Resource
win10v2004-en-20220113
General
-
Target
08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe
-
Size
168KB
-
MD5
9b8fc69dc74ae8de2dbc55a6f3c81b78
-
SHA1
32307e9ce4c8dd322ae08a87c53c8d68aea08304
-
SHA256
08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279
-
SHA512
661b133f4f6c02e9841338a60a66aaf570563f105e91fce3e2db0e7b1a6b4b8eed81d4f5f406b505ec4ac8e43e06cbe880239374bfcfb40fcadc05066fa46e6a
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2708-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/3080-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3080 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1456 svchost.exe Token: SeCreatePagefilePrivilege 1456 svchost.exe Token: SeShutdownPrivilege 1456 svchost.exe Token: SeCreatePagefilePrivilege 1456 svchost.exe Token: SeShutdownPrivilege 1456 svchost.exe Token: SeCreatePagefilePrivilege 1456 svchost.exe Token: SeIncBasePriorityPrivilege 2708 08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe Token: SeBackupPrivilege 1296 TiWorker.exe Token: SeRestorePrivilege 1296 TiWorker.exe Token: SeSecurityPrivilege 1296 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.execmd.exedescription pid process target process PID 2708 wrote to memory of 3080 2708 08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe MediaCenter.exe PID 2708 wrote to memory of 3080 2708 08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe MediaCenter.exe PID 2708 wrote to memory of 3080 2708 08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe MediaCenter.exe PID 2708 wrote to memory of 628 2708 08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe cmd.exe PID 2708 wrote to memory of 628 2708 08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe cmd.exe PID 2708 wrote to memory of 628 2708 08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe cmd.exe PID 628 wrote to memory of 5096 628 cmd.exe PING.EXE PID 628 wrote to memory of 5096 628 cmd.exe PING.EXE PID 628 wrote to memory of 5096 628 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe"C:\Users\Admin\AppData\Local\Temp\08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08ff6b2178aad1544c4a38ac1662829d2513edf5a52d759bc74ec544c53c0279.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1296
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d93ebddf8bb129a09a02f680fa1dd8ca
SHA1ae88bcc26047a127aaa3764fa42ee4d575e7f7e8
SHA256929da16227e006b5c480c53a8c58e7783eeff5d4b2cbbe31b2d53bc7064b07d4
SHA5121b8e9779c6a38f1651f2a9996035909ed047395a840560c4c132601cd2379d3451e780594d64acb8a57320faab38f023317fbd061d91fe913a4df0cb5521715d
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d93ebddf8bb129a09a02f680fa1dd8ca
SHA1ae88bcc26047a127aaa3764fa42ee4d575e7f7e8
SHA256929da16227e006b5c480c53a8c58e7783eeff5d4b2cbbe31b2d53bc7064b07d4
SHA5121b8e9779c6a38f1651f2a9996035909ed047395a840560c4c132601cd2379d3451e780594d64acb8a57320faab38f023317fbd061d91fe913a4df0cb5521715d
-
memory/1456-132-0x0000014F71FA0000-0x0000014F71FB0000-memory.dmpFilesize
64KB
-
memory/1456-133-0x0000014F72520000-0x0000014F72530000-memory.dmpFilesize
64KB
-
memory/1456-134-0x0000014F74C20000-0x0000014F74C24000-memory.dmpFilesize
16KB
-
memory/2708-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3080-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB