Analysis
-
max time kernel
165s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:43
Static task
static1
Behavioral task
behavioral1
Sample
06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe
Resource
win10v2004-en-20220113
General
-
Target
06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe
-
Size
216KB
-
MD5
e3630074018634f6065b52b336603372
-
SHA1
824c8e16bf8d4e53ca51a4140c8614651ca9f728
-
SHA256
06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049
-
SHA512
02d99daa2230ff3c54bd9e78c8a3363044b89b4816afa83c6dc4e0718b2099c79bf5f7b2eae841a7b754b9686512113a668d75454117379881471da5568cf4c9
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/456-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1816-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1816 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exedescription pid process Token: SeShutdownPrivilege 4256 svchost.exe Token: SeCreatePagefilePrivilege 4256 svchost.exe Token: SeShutdownPrivilege 4256 svchost.exe Token: SeCreatePagefilePrivilege 4256 svchost.exe Token: SeShutdownPrivilege 4256 svchost.exe Token: SeCreatePagefilePrivilege 4256 svchost.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeIncBasePriorityPrivilege 456 06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe Token: SeBackupPrivilege 4844 TiWorker.exe Token: SeRestorePrivilege 4844 TiWorker.exe Token: SeSecurityPrivilege 4844 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.execmd.exedescription pid process target process PID 456 wrote to memory of 1816 456 06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe MediaCenter.exe PID 456 wrote to memory of 1816 456 06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe MediaCenter.exe PID 456 wrote to memory of 1816 456 06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe MediaCenter.exe PID 456 wrote to memory of 5024 456 06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe cmd.exe PID 456 wrote to memory of 5024 456 06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe cmd.exe PID 456 wrote to memory of 5024 456 06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe cmd.exe PID 5024 wrote to memory of 1828 5024 cmd.exe PING.EXE PID 5024 wrote to memory of 1828 5024 cmd.exe PING.EXE PID 5024 wrote to memory of 1828 5024 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe"C:\Users\Admin\AppData\Local\Temp\06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06481123cd86c70feb0ebfeb3eaff47dcf7352bbde5825664b202c70d6269049.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e3da0f661d2aa059bb3d222a7be3b61a
SHA19d569032858f156e6182d938d51866e310c7809b
SHA256bf61ca7bcc0ca4817e9730e890ac9f1df25246f676c9fa811301fd672933739e
SHA5120f1418eb59999e952bdd1784431c6f3c6ce7237a3c0cb3ba3944ccf9757bfe5ff050454d7499ce2b72ff4caa0e5439c6843f1d816954cc16094b151c95192f56
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e3da0f661d2aa059bb3d222a7be3b61a
SHA19d569032858f156e6182d938d51866e310c7809b
SHA256bf61ca7bcc0ca4817e9730e890ac9f1df25246f676c9fa811301fd672933739e
SHA5120f1418eb59999e952bdd1784431c6f3c6ce7237a3c0cb3ba3944ccf9757bfe5ff050454d7499ce2b72ff4caa0e5439c6843f1d816954cc16094b151c95192f56
-
memory/456-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1816-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4256-132-0x000002777B120000-0x000002777B130000-memory.dmpFilesize
64KB
-
memory/4256-133-0x000002777B180000-0x000002777B190000-memory.dmpFilesize
64KB
-
memory/4256-134-0x000002777D850000-0x000002777D854000-memory.dmpFilesize
16KB