Analysis
-
max time kernel
147s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 12:04
Static task
static1
Behavioral task
behavioral1
Sample
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe
Resource
win10v2004-en-20220113
General
-
Target
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe
-
Size
176KB
-
MD5
a51367d956722fc111b5ed10b25525b1
-
SHA1
19c08a35442046b8e8d5bb7d79d17715002a1455
-
SHA256
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7
-
SHA512
a8144c3d4f10a4257f86014134165ac075c6d9015507ad05636a538996f086fdcac251249697a5a057fdd51ef093cd187de69df8b219b5dfd94ff2b82ff36f99
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4452-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1840-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1840 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 700 svchost.exe Token: SeCreatePagefilePrivilege 700 svchost.exe Token: SeShutdownPrivilege 700 svchost.exe Token: SeCreatePagefilePrivilege 700 svchost.exe Token: SeShutdownPrivilege 700 svchost.exe Token: SeCreatePagefilePrivilege 700 svchost.exe Token: SeIncBasePriorityPrivilege 4452 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe Token: SeBackupPrivilege 4188 TiWorker.exe Token: SeRestorePrivilege 4188 TiWorker.exe Token: SeSecurityPrivilege 4188 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.execmd.exedescription pid process target process PID 4452 wrote to memory of 1840 4452 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe MediaCenter.exe PID 4452 wrote to memory of 1840 4452 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe MediaCenter.exe PID 4452 wrote to memory of 1840 4452 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe MediaCenter.exe PID 4452 wrote to memory of 2648 4452 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe cmd.exe PID 4452 wrote to memory of 2648 4452 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe cmd.exe PID 4452 wrote to memory of 2648 4452 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe cmd.exe PID 2648 wrote to memory of 3412 2648 cmd.exe PING.EXE PID 2648 wrote to memory of 3412 2648 cmd.exe PING.EXE PID 2648 wrote to memory of 3412 2648 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe"C:\Users\Admin\AppData\Local\Temp\0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:700
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7293ff17a2dbbf81e3e55498c5ca4416
SHA18359ef1ca24c5dee5789d17f0e06dbc766cb5a9c
SHA256cc0988e946ee7d508d833a387e75fafb31c652b30d6dc145349100da9e6d20a5
SHA5125c0a6c29fcc8aef6464cb03e4bffa347951c2cb7d031f406df32d067947ed1c930b23b4042a229dfbe1b689edd7f30bbbdd89b7ebd9c01b4a71c69b0e88863d6
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7293ff17a2dbbf81e3e55498c5ca4416
SHA18359ef1ca24c5dee5789d17f0e06dbc766cb5a9c
SHA256cc0988e946ee7d508d833a387e75fafb31c652b30d6dc145349100da9e6d20a5
SHA5125c0a6c29fcc8aef6464cb03e4bffa347951c2cb7d031f406df32d067947ed1c930b23b4042a229dfbe1b689edd7f30bbbdd89b7ebd9c01b4a71c69b0e88863d6
-
memory/700-132-0x000001D605B60000-0x000001D605B70000-memory.dmpFilesize
64KB
-
memory/700-133-0x000001D606120000-0x000001D606130000-memory.dmpFilesize
64KB
-
memory/700-134-0x000001D6087D0000-0x000001D6087D4000-memory.dmpFilesize
16KB
-
memory/1840-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4452-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB