Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:31
Static task
static1
Behavioral task
behavioral1
Sample
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe
Resource
win10v2004-en-20220113
General
-
Target
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe
-
Size
176KB
-
MD5
ea60be8ec92728f912df128d5e9447b8
-
SHA1
b6882f781ee2a07e4505d3ad6e3a2eda726b8678
-
SHA256
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2
-
SHA512
61ac74f7b1889ef7e9465536dfa224321e5033270edf7e7d2ce5beb5501bee98159178bc942d63f96f4b9635025f373cee7aa6f1b831ca7ccc953bc3007559c4
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3720-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/3152-139-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3152 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3720 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe Token: SeShutdownPrivilege 1736 svchost.exe Token: SeCreatePagefilePrivilege 1736 svchost.exe Token: SeShutdownPrivilege 1736 svchost.exe Token: SeCreatePagefilePrivilege 1736 svchost.exe Token: SeShutdownPrivilege 1736 svchost.exe Token: SeCreatePagefilePrivilege 1736 svchost.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe Token: SeBackupPrivilege 2620 TiWorker.exe Token: SeRestorePrivilege 2620 TiWorker.exe Token: SeSecurityPrivilege 2620 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.execmd.exedescription pid process target process PID 3720 wrote to memory of 3152 3720 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe MediaCenter.exe PID 3720 wrote to memory of 3152 3720 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe MediaCenter.exe PID 3720 wrote to memory of 3152 3720 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe MediaCenter.exe PID 3720 wrote to memory of 1836 3720 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe cmd.exe PID 3720 wrote to memory of 1836 3720 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe cmd.exe PID 3720 wrote to memory of 1836 3720 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe cmd.exe PID 1836 wrote to memory of 3716 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 3716 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 3716 1836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe"C:\Users\Admin\AppData\Local\Temp\0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
372059f64cbb856b41ab040beffe7507
SHA1ff3e98028badb36b12e2a853b6ba2a380925cede
SHA256f40f91b98f36cff6b2fa64476004c288ba8380aae9d69455a296cfc4fe9f5f29
SHA512c34044a928669f5f00c7ab7933514379a169f63971870cb6684350acd991b55c29cd5e981c13ff3f760249f300a6444e6220f0f1e66b162f5c495eb7ee981346
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
372059f64cbb856b41ab040beffe7507
SHA1ff3e98028badb36b12e2a853b6ba2a380925cede
SHA256f40f91b98f36cff6b2fa64476004c288ba8380aae9d69455a296cfc4fe9f5f29
SHA512c34044a928669f5f00c7ab7933514379a169f63971870cb6684350acd991b55c29cd5e981c13ff3f760249f300a6444e6220f0f1e66b162f5c495eb7ee981346
-
memory/1736-136-0x000001A305990000-0x000001A3059A0000-memory.dmpFilesize
64KB
-
memory/1736-137-0x000001A306160000-0x000001A306170000-memory.dmpFilesize
64KB
-
memory/1736-138-0x000001A308D70000-0x000001A308D74000-memory.dmpFilesize
16KB
-
memory/3152-139-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3720-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB