Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:12
Static task
static1
Behavioral task
behavioral1
Sample
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe
Resource
win10v2004-en-20220113
General
-
Target
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe
-
Size
216KB
-
MD5
ac829dd26d9d9237dee728f7b4cc5b99
-
SHA1
5ea3ab7bc395f0f59ea577eedcd79993efe6e759
-
SHA256
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3
-
SHA512
84167f90c74c4ebb9dc4a3dc00c6895423f3a0dea1f121ee6456615bcb4d5a2db965b35c519092e337998fc8f1b0d41eb31d7c6cbca5623c586442be67f88959
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2752-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/2736-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2736 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4872 svchost.exe Token: SeCreatePagefilePrivilege 4872 svchost.exe Token: SeShutdownPrivilege 4872 svchost.exe Token: SeCreatePagefilePrivilege 4872 svchost.exe Token: SeShutdownPrivilege 4872 svchost.exe Token: SeCreatePagefilePrivilege 4872 svchost.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe Token: SeRestorePrivilege 3024 TiWorker.exe Token: SeSecurityPrivilege 3024 TiWorker.exe Token: SeBackupPrivilege 3024 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.execmd.exedescription pid process target process PID 2752 wrote to memory of 2736 2752 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe MediaCenter.exe PID 2752 wrote to memory of 2736 2752 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe MediaCenter.exe PID 2752 wrote to memory of 2736 2752 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe MediaCenter.exe PID 2752 wrote to memory of 1092 2752 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe cmd.exe PID 2752 wrote to memory of 1092 2752 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe cmd.exe PID 2752 wrote to memory of 1092 2752 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe cmd.exe PID 1092 wrote to memory of 5076 1092 cmd.exe PING.EXE PID 1092 wrote to memory of 5076 1092 cmd.exe PING.EXE PID 1092 wrote to memory of 5076 1092 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe"C:\Users\Admin\AppData\Local\Temp\0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9e092998ab016617bf403ebd03aadd35
SHA16ff148c8ad860c1101ac4e39120a4fcc2b1caa3d
SHA2560366147d3f9bf6fc04eea906c1b0ae559a9ccb53f5745f62f4e5e02708f46808
SHA512679e60d70ef5ff2dec43aef66b74b30f3ae83c48468fc6e051d12dd1f8fb8d8dbeecbfc6023bd5cfb78299b678c3f1fdf2b5ed008356d280f9e519b3e31cf18b
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9e092998ab016617bf403ebd03aadd35
SHA16ff148c8ad860c1101ac4e39120a4fcc2b1caa3d
SHA2560366147d3f9bf6fc04eea906c1b0ae559a9ccb53f5745f62f4e5e02708f46808
SHA512679e60d70ef5ff2dec43aef66b74b30f3ae83c48468fc6e051d12dd1f8fb8d8dbeecbfc6023bd5cfb78299b678c3f1fdf2b5ed008356d280f9e519b3e31cf18b
-
memory/2736-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2752-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4872-132-0x000001BFA55A0000-0x000001BFA55B0000-memory.dmpFilesize
64KB
-
memory/4872-133-0x000001BFA5B20000-0x000001BFA5B30000-memory.dmpFilesize
64KB
-
memory/4872-134-0x000001BFA8220000-0x000001BFA8224000-memory.dmpFilesize
16KB