Analysis
-
max time kernel
132s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:05
Static task
static1
Behavioral task
behavioral1
Sample
082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe
Resource
win10v2004-en-20220113
General
-
Target
082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe
-
Size
191KB
-
MD5
0cbe6009fcd1e715a938ee4f05e036f6
-
SHA1
4b707b7cb034d58c03c7a9fdcbe5d8c1433484ea
-
SHA256
082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca
-
SHA512
b0815b6606554d2cce73d2a36a8e38d69ebf774a4ad24460db5c4c3aee2c92bfa60fa11bba428720a9d46396b4228c94d793de4f0ab5a6281ab42d05bdff315f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4824 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2068 svchost.exe Token: SeCreatePagefilePrivilege 2068 svchost.exe Token: SeShutdownPrivilege 2068 svchost.exe Token: SeCreatePagefilePrivilege 2068 svchost.exe Token: SeShutdownPrivilege 2068 svchost.exe Token: SeCreatePagefilePrivilege 2068 svchost.exe Token: SeIncBasePriorityPrivilege 2772 082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe Token: SeBackupPrivilege 4900 TiWorker.exe Token: SeRestorePrivilege 4900 TiWorker.exe Token: SeSecurityPrivilege 4900 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.execmd.exedescription pid process target process PID 2772 wrote to memory of 4824 2772 082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe MediaCenter.exe PID 2772 wrote to memory of 4824 2772 082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe MediaCenter.exe PID 2772 wrote to memory of 4824 2772 082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe MediaCenter.exe PID 2772 wrote to memory of 3996 2772 082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe cmd.exe PID 2772 wrote to memory of 3996 2772 082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe cmd.exe PID 2772 wrote to memory of 3996 2772 082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe cmd.exe PID 3996 wrote to memory of 2540 3996 cmd.exe PING.EXE PID 3996 wrote to memory of 2540 3996 cmd.exe PING.EXE PID 3996 wrote to memory of 2540 3996 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe"C:\Users\Admin\AppData\Local\Temp\082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\082c765372b65aee6469edde4954229ffd29d1542a79cbd9ecd9f7f3e6d778ca.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
eebaaa1109834c875ae3aa4ab260de97
SHA1f75536327e9810e78269243e6db6f62531126a82
SHA256281e3d08823130f61acd1d8ca83e59c15659d36f7befdd7630606943e2e20d09
SHA512d8a75a6e721f57482b5a5853b2248af9f79a274b03510a3758ee4773fc6921f2763d5587e510142632c12e31e9ad675f2f9f3b8c0d9c412ca82cf7c9e6b83a78
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
eebaaa1109834c875ae3aa4ab260de97
SHA1f75536327e9810e78269243e6db6f62531126a82
SHA256281e3d08823130f61acd1d8ca83e59c15659d36f7befdd7630606943e2e20d09
SHA512d8a75a6e721f57482b5a5853b2248af9f79a274b03510a3758ee4773fc6921f2763d5587e510142632c12e31e9ad675f2f9f3b8c0d9c412ca82cf7c9e6b83a78
-
memory/2068-132-0x00000208A8D20000-0x00000208A8D30000-memory.dmpFilesize
64KB
-
memory/2068-133-0x00000208A8D80000-0x00000208A8D90000-memory.dmpFilesize
64KB
-
memory/2068-134-0x00000208AB460000-0x00000208AB464000-memory.dmpFilesize
16KB