Analysis
-
max time kernel
148s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:25
Static task
static1
Behavioral task
behavioral1
Sample
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe
Resource
win10v2004-en-20220113
General
-
Target
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe
-
Size
80KB
-
MD5
b4c87a3b0ba0bccf206b48f178b59c25
-
SHA1
6286c1a04dea66cfdb733b0ed3515bc23af78105
-
SHA256
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43
-
SHA512
ce7f70324c31feba038367c9c89bc43aa24b1dde9e5ab7924ca70613900554481b68e894315553fbc6c4eff4d4562caedfef158cf2fd2052071668dd10304e62
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4124 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1720 svchost.exe Token: SeCreatePagefilePrivilege 1720 svchost.exe Token: SeShutdownPrivilege 1720 svchost.exe Token: SeCreatePagefilePrivilege 1720 svchost.exe Token: SeShutdownPrivilege 1720 svchost.exe Token: SeCreatePagefilePrivilege 1720 svchost.exe Token: SeIncBasePriorityPrivilege 4668 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe Token: SeBackupPrivilege 540 TiWorker.exe Token: SeRestorePrivilege 540 TiWorker.exe Token: SeSecurityPrivilege 540 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.execmd.exedescription pid process target process PID 4668 wrote to memory of 4124 4668 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe MediaCenter.exe PID 4668 wrote to memory of 4124 4668 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe MediaCenter.exe PID 4668 wrote to memory of 4124 4668 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe MediaCenter.exe PID 4668 wrote to memory of 4400 4668 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe cmd.exe PID 4668 wrote to memory of 4400 4668 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe cmd.exe PID 4668 wrote to memory of 4400 4668 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe cmd.exe PID 4400 wrote to memory of 4736 4400 cmd.exe PING.EXE PID 4400 wrote to memory of 4736 4400 cmd.exe PING.EXE PID 4400 wrote to memory of 4736 4400 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe"C:\Users\Admin\AppData\Local\Temp\0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1befb5aa2b9eb96840b5e00e83039ee5
SHA13cb9d0af27d8e0eba4371785c9331886a3abd39d
SHA25647b1a0194574764e571d7707d16d8c04d53cd1d9288275f78717875dc7ec4a6f
SHA5120d049e4299110595539d8765068f0a5ed752848655e6d076f9173ed64c6561feb79a0d6c02a23a92a0dfbfbbf4f067faa4407c05d82a3000e9494688291504a1
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1befb5aa2b9eb96840b5e00e83039ee5
SHA13cb9d0af27d8e0eba4371785c9331886a3abd39d
SHA25647b1a0194574764e571d7707d16d8c04d53cd1d9288275f78717875dc7ec4a6f
SHA5120d049e4299110595539d8765068f0a5ed752848655e6d076f9173ed64c6561feb79a0d6c02a23a92a0dfbfbbf4f067faa4407c05d82a3000e9494688291504a1
-
memory/1720-132-0x000001E74BB60000-0x000001E74BB70000-memory.dmpFilesize
64KB
-
memory/1720-133-0x000001E74C120000-0x000001E74C130000-memory.dmpFilesize
64KB
-
memory/1720-134-0x000001E74E7A0000-0x000001E74E7A4000-memory.dmpFilesize
16KB