Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:17
Static task
static1
Behavioral task
behavioral1
Sample
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe
Resource
win10v2004-en-20220113
General
-
Target
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe
-
Size
150KB
-
MD5
f5eac658cebe544c926a47ac19dc940b
-
SHA1
625f191f4eee11ce4e66170248ef198d2f05041f
-
SHA256
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8
-
SHA512
e707f199a405e846b6cf0c698268383587baabde3b2b078bd96dd554399c5ce34e38ed49fc0b38a99f04ec89ff707db55a2e6bbe58beb6ab967180a54d174ed5
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3304 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1252 svchost.exe Token: SeCreatePagefilePrivilege 1252 svchost.exe Token: SeShutdownPrivilege 1252 svchost.exe Token: SeCreatePagefilePrivilege 1252 svchost.exe Token: SeShutdownPrivilege 1252 svchost.exe Token: SeCreatePagefilePrivilege 1252 svchost.exe Token: SeIncBasePriorityPrivilege 2028 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe Token: SeBackupPrivilege 3244 TiWorker.exe Token: SeRestorePrivilege 3244 TiWorker.exe Token: SeSecurityPrivilege 3244 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.execmd.exedescription pid process target process PID 2028 wrote to memory of 3304 2028 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe MediaCenter.exe PID 2028 wrote to memory of 3304 2028 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe MediaCenter.exe PID 2028 wrote to memory of 3304 2028 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe MediaCenter.exe PID 2028 wrote to memory of 4480 2028 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe cmd.exe PID 2028 wrote to memory of 4480 2028 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe cmd.exe PID 2028 wrote to memory of 4480 2028 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe cmd.exe PID 4480 wrote to memory of 4172 4480 cmd.exe PING.EXE PID 4480 wrote to memory of 4172 4480 cmd.exe PING.EXE PID 4480 wrote to memory of 4172 4480 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe"C:\Users\Admin\AppData\Local\Temp\0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3244
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
445e25643ad5a7855b9313586aa89964
SHA19a51f5ab9c95d543ff8f4ea43011d50ed03a454d
SHA2565223979cbb0ef6e8adb4a3177e8c4a911ccf80b3fdf08fd4d4b89a780f596cff
SHA51240215817d3d0e3b7384d58cae57db0eb68d80b1171170953a9a5c7b3660417cb4b4a60702f60be9d0fd95ae1a998ac0c6dddccad760c0b4847e7da5ad4f0f6b8
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
445e25643ad5a7855b9313586aa89964
SHA19a51f5ab9c95d543ff8f4ea43011d50ed03a454d
SHA2565223979cbb0ef6e8adb4a3177e8c4a911ccf80b3fdf08fd4d4b89a780f596cff
SHA51240215817d3d0e3b7384d58cae57db0eb68d80b1171170953a9a5c7b3660417cb4b4a60702f60be9d0fd95ae1a998ac0c6dddccad760c0b4847e7da5ad4f0f6b8
-
memory/1252-132-0x00000211767A0000-0x00000211767B0000-memory.dmpFilesize
64KB
-
memory/1252-133-0x0000021176E20000-0x0000021176E30000-memory.dmpFilesize
64KB
-
memory/1252-134-0x0000021179520000-0x0000021179524000-memory.dmpFilesize
16KB