Analysis
-
max time kernel
158s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:38
Static task
static1
Behavioral task
behavioral1
Sample
06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe
Resource
win10v2004-en-20220113
General
-
Target
06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe
-
Size
216KB
-
MD5
a3ca021350034de47209827352310697
-
SHA1
28647851ab6458e0cbad03053c481863006eada0
-
SHA256
06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3
-
SHA512
5a227c360d72ba1bcc5c88f111aeac2732292641a7e33bed885c5c8ce9f105e4a877378b1bab6b4ea1d295cfe4a290c817433065c37503d0daabaec24516efd9
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1152-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1392-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1392 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1984 svchost.exe Token: SeCreatePagefilePrivilege 1984 svchost.exe Token: SeShutdownPrivilege 1984 svchost.exe Token: SeCreatePagefilePrivilege 1984 svchost.exe Token: SeShutdownPrivilege 1984 svchost.exe Token: SeCreatePagefilePrivilege 1984 svchost.exe Token: SeIncBasePriorityPrivilege 1152 06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe Token: SeBackupPrivilege 4516 TiWorker.exe Token: SeRestorePrivilege 4516 TiWorker.exe Token: SeSecurityPrivilege 4516 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.execmd.exedescription pid process target process PID 1152 wrote to memory of 1392 1152 06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe MediaCenter.exe PID 1152 wrote to memory of 1392 1152 06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe MediaCenter.exe PID 1152 wrote to memory of 1392 1152 06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe MediaCenter.exe PID 1152 wrote to memory of 4456 1152 06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe cmd.exe PID 1152 wrote to memory of 4456 1152 06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe cmd.exe PID 1152 wrote to memory of 4456 1152 06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe cmd.exe PID 4456 wrote to memory of 4828 4456 cmd.exe PING.EXE PID 4456 wrote to memory of 4828 4456 cmd.exe PING.EXE PID 4456 wrote to memory of 4828 4456 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe"C:\Users\Admin\AppData\Local\Temp\06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4516
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4912a9680f016c119358663399524dc2
SHA182ecc9657e525c4aa2cd85018593d25727afee35
SHA25655cd1c335a2de5188606bde57cfba2821bdfb35dd5685770c9d9236fc7ee3ca9
SHA5129d80b2ea56e3b3d53e736a62d9e68c6ace0e3619bbf6d405bfdfefec5a3fdc56758df83b216448789eb02c45c828514ba99ee80ba35520fe8f83f0321c8eb303
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4912a9680f016c119358663399524dc2
SHA182ecc9657e525c4aa2cd85018593d25727afee35
SHA25655cd1c335a2de5188606bde57cfba2821bdfb35dd5685770c9d9236fc7ee3ca9
SHA5129d80b2ea56e3b3d53e736a62d9e68c6ace0e3619bbf6d405bfdfefec5a3fdc56758df83b216448789eb02c45c828514ba99ee80ba35520fe8f83f0321c8eb303
-
memory/1152-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1392-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1984-132-0x000002D155B80000-0x000002D155B90000-memory.dmpFilesize
64KB
-
memory/1984-133-0x000002D156220000-0x000002D156230000-memory.dmpFilesize
64KB
-
memory/1984-134-0x000002D158900000-0x000002D158904000-memory.dmpFilesize
16KB