Analysis
-
max time kernel
159s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:37
Static task
static1
Behavioral task
behavioral1
Sample
03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe
Resource
win10v2004-en-20220113
General
-
Target
03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe
-
Size
176KB
-
MD5
3d66e584157583e745584462cafd70da
-
SHA1
6db3ecbf863469c0f9c0484156c702cb9ca2a023
-
SHA256
03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f
-
SHA512
93c1740d3915a77e6afcf20c07762741e22aa07dbb6245b9ddb329932cfbb203da45273783c5a539b402e7607cda73cbb81d32b84093b126691fc1a8e5cf5017
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1436-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/3908-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3908 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exedescription pid process Token: SeShutdownPrivilege 1624 svchost.exe Token: SeCreatePagefilePrivilege 1624 svchost.exe Token: SeShutdownPrivilege 1624 svchost.exe Token: SeCreatePagefilePrivilege 1624 svchost.exe Token: SeShutdownPrivilege 1624 svchost.exe Token: SeCreatePagefilePrivilege 1624 svchost.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeIncBasePriorityPrivilege 1436 03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe Token: SeBackupPrivilege 4296 TiWorker.exe Token: SeRestorePrivilege 4296 TiWorker.exe Token: SeSecurityPrivilege 4296 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.execmd.exedescription pid process target process PID 1436 wrote to memory of 3908 1436 03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe MediaCenter.exe PID 1436 wrote to memory of 3908 1436 03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe MediaCenter.exe PID 1436 wrote to memory of 3908 1436 03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe MediaCenter.exe PID 1436 wrote to memory of 1080 1436 03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe cmd.exe PID 1436 wrote to memory of 1080 1436 03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe cmd.exe PID 1436 wrote to memory of 1080 1436 03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe cmd.exe PID 1080 wrote to memory of 2072 1080 cmd.exe PING.EXE PID 1080 wrote to memory of 2072 1080 cmd.exe PING.EXE PID 1080 wrote to memory of 2072 1080 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe"C:\Users\Admin\AppData\Local\Temp\03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03e9eb0a1e1e7ad7a9f47da384da6237671037250e24c37d8bb9fdc4c5c7983f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4296
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cad0d89de90aac2d95ffa67d526b7411
SHA197bad7f0d3f139a411f174e32ae048edce861941
SHA2565bd805d402089849dd533b3410899eeb3ea87c83a3822160f445553642883704
SHA512a07d60d4cb0371562c782da13399e5efd50b31fe2541b648329a0aec984e7586c8464a85277640f36241552066f6206ec7f10f8abee6f27ba1d7205e95784178
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cad0d89de90aac2d95ffa67d526b7411
SHA197bad7f0d3f139a411f174e32ae048edce861941
SHA2565bd805d402089849dd533b3410899eeb3ea87c83a3822160f445553642883704
SHA512a07d60d4cb0371562c782da13399e5efd50b31fe2541b648329a0aec984e7586c8464a85277640f36241552066f6206ec7f10f8abee6f27ba1d7205e95784178
-
memory/1436-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1624-132-0x0000021F61530000-0x0000021F61540000-memory.dmpFilesize
64KB
-
memory/1624-133-0x0000021F61590000-0x0000021F615A0000-memory.dmpFilesize
64KB
-
memory/1624-134-0x0000021F64290000-0x0000021F64294000-memory.dmpFilesize
16KB
-
memory/3908-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB