Analysis
-
max time kernel
160s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:11
Static task
static1
Behavioral task
behavioral1
Sample
07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe
Resource
win10v2004-en-20220113
General
-
Target
07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe
-
Size
152KB
-
MD5
19826e60b4b2a2001c0aa89f1d2781c6
-
SHA1
574ba4713a06f624010f516c441393537446733f
-
SHA256
07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf
-
SHA512
374699bd7f89119ef8709631a85266dd6aa6f1cb67d01a22484522de993ab916d0307d293c08fe3fae957aebdfd13d208b9aa27bfbc2a1ef68eb6a9fcbb6c7ff
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4752 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exedescription pid process Token: SeShutdownPrivilege 1336 svchost.exe Token: SeCreatePagefilePrivilege 1336 svchost.exe Token: SeShutdownPrivilege 1336 svchost.exe Token: SeCreatePagefilePrivilege 1336 svchost.exe Token: SeShutdownPrivilege 1336 svchost.exe Token: SeCreatePagefilePrivilege 1336 svchost.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeIncBasePriorityPrivilege 4628 07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe Token: SeBackupPrivilege 3664 TiWorker.exe Token: SeRestorePrivilege 3664 TiWorker.exe Token: SeSecurityPrivilege 3664 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.execmd.exedescription pid process target process PID 4628 wrote to memory of 4752 4628 07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe MediaCenter.exe PID 4628 wrote to memory of 4752 4628 07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe MediaCenter.exe PID 4628 wrote to memory of 4752 4628 07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe MediaCenter.exe PID 4628 wrote to memory of 4844 4628 07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe cmd.exe PID 4628 wrote to memory of 4844 4628 07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe cmd.exe PID 4628 wrote to memory of 4844 4628 07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe cmd.exe PID 4844 wrote to memory of 1736 4844 cmd.exe PING.EXE PID 4844 wrote to memory of 1736 4844 cmd.exe PING.EXE PID 4844 wrote to memory of 1736 4844 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe"C:\Users\Admin\AppData\Local\Temp\07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07e393e2731320804c1467f9eca9458c1ad1a8a2465eb2d240afb3d8e734c7bf.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
221eccb2c0dc5774878ce3b0cc45d70a
SHA1fa4231efd695665f4a081ee99aa3a09a37e2d291
SHA25637d3f69be6a4f3ac18d0a757731613fd3fca7b7ca6b31f7a5e532d78f9ddab2e
SHA51211ece16dd5f1f7ff7321efb58937c9156652cdfd1a2f96fdaeebe639f3071ee8eb4c79fcb61afac7793370642d213b45e7a25edd55fed561aed88d7d3fc83f19
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
221eccb2c0dc5774878ce3b0cc45d70a
SHA1fa4231efd695665f4a081ee99aa3a09a37e2d291
SHA25637d3f69be6a4f3ac18d0a757731613fd3fca7b7ca6b31f7a5e532d78f9ddab2e
SHA51211ece16dd5f1f7ff7321efb58937c9156652cdfd1a2f96fdaeebe639f3071ee8eb4c79fcb61afac7793370642d213b45e7a25edd55fed561aed88d7d3fc83f19
-
memory/1336-132-0x000001C47BD80000-0x000001C47BD90000-memory.dmpFilesize
64KB
-
memory/1336-133-0x000001C47C420000-0x000001C47C430000-memory.dmpFilesize
64KB
-
memory/1336-134-0x000001C47EB00000-0x000001C47EB04000-memory.dmpFilesize
16KB