Analysis
-
max time kernel
149s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:06
Static task
static1
Behavioral task
behavioral1
Sample
08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe
Resource
win10v2004-en-20220113
General
-
Target
08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe
-
Size
80KB
-
MD5
ae72192dfededc4fd7a198bce466356c
-
SHA1
7ab4b5816818415a7070c219790a9343e25ee02c
-
SHA256
08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814
-
SHA512
0b3d0f23be8aaf4deb44e10ebd909565360b80b1d5a3eb6813b42f09b7b78eae02cd7bb380937f8562e50f87c5f8f740594a86001ca3b09d3f6b43e171e8574e
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4416 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3508 svchost.exe Token: SeCreatePagefilePrivilege 3508 svchost.exe Token: SeShutdownPrivilege 3508 svchost.exe Token: SeCreatePagefilePrivilege 3508 svchost.exe Token: SeIncBasePriorityPrivilege 2348 08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe Token: SeShutdownPrivilege 3508 svchost.exe Token: SeCreatePagefilePrivilege 3508 svchost.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe Token: SeBackupPrivilege 3536 TiWorker.exe Token: SeRestorePrivilege 3536 TiWorker.exe Token: SeSecurityPrivilege 3536 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.execmd.exedescription pid process target process PID 2348 wrote to memory of 4416 2348 08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe MediaCenter.exe PID 2348 wrote to memory of 4416 2348 08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe MediaCenter.exe PID 2348 wrote to memory of 4416 2348 08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe MediaCenter.exe PID 2348 wrote to memory of 3620 2348 08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe cmd.exe PID 2348 wrote to memory of 3620 2348 08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe cmd.exe PID 2348 wrote to memory of 3620 2348 08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe cmd.exe PID 3620 wrote to memory of 380 3620 cmd.exe PING.EXE PID 3620 wrote to memory of 380 3620 cmd.exe PING.EXE PID 3620 wrote to memory of 380 3620 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe"C:\Users\Admin\AppData\Local\Temp\08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08171590608cd6cdd31a80dfe3005e72c40fd3836372c18f493df4ab24c0a814.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ddde8e97fb6381c8e779301ec6dfb9c3
SHA1a96c8299224b3b35e54ba79d0cd6e75901a3f867
SHA2561e5cc5ae09bf4295e498494e171b8649040ca834d2be40c4b9e44af17c6ecd56
SHA51280d289bb66628522fd163a2746f9c91434476331df7931a72071a1753b628a59dd9c9dd66aa356eb6ba034f78106538f2c19530c278cfec6117a50ae44e0e325
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ddde8e97fb6381c8e779301ec6dfb9c3
SHA1a96c8299224b3b35e54ba79d0cd6e75901a3f867
SHA2561e5cc5ae09bf4295e498494e171b8649040ca834d2be40c4b9e44af17c6ecd56
SHA51280d289bb66628522fd163a2746f9c91434476331df7931a72071a1753b628a59dd9c9dd66aa356eb6ba034f78106538f2c19530c278cfec6117a50ae44e0e325
-
memory/3508-133-0x000001D8C1820000-0x000001D8C1830000-memory.dmpFilesize
64KB
-
memory/3508-132-0x000001D8C1150000-0x000001D8C1160000-memory.dmpFilesize
64KB
-
memory/3508-134-0x000001D8C3ED0000-0x000001D8C3ED4000-memory.dmpFilesize
16KB