Analysis
-
max time kernel
155s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:11
Static task
static1
Behavioral task
behavioral1
Sample
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe
Resource
win10v2004-en-20220113
General
-
Target
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe
-
Size
99KB
-
MD5
77a310318bd89ac4a1e291862380e70a
-
SHA1
f37aec3c4eb6b1bb33582606bc5e807bf22d2fa4
-
SHA256
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c
-
SHA512
8a789e4c938c6c718c372e3035ed0b755a752dfbfc38ec4346c025e95d4a4a32daf30fb28eb7fddb94237e62025d0696f189fc25f7c389cadc9f2d45ebbd78c6
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4056 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3100 svchost.exe Token: SeCreatePagefilePrivilege 3100 svchost.exe Token: SeShutdownPrivilege 3100 svchost.exe Token: SeCreatePagefilePrivilege 3100 svchost.exe Token: SeShutdownPrivilege 3100 svchost.exe Token: SeCreatePagefilePrivilege 3100 svchost.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe Token: SeRestorePrivilege 992 TiWorker.exe Token: SeSecurityPrivilege 992 TiWorker.exe Token: SeBackupPrivilege 992 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.execmd.exedescription pid process target process PID 3836 wrote to memory of 4056 3836 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe MediaCenter.exe PID 3836 wrote to memory of 4056 3836 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe MediaCenter.exe PID 3836 wrote to memory of 4056 3836 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe MediaCenter.exe PID 3836 wrote to memory of 2396 3836 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe cmd.exe PID 3836 wrote to memory of 2396 3836 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe cmd.exe PID 3836 wrote to memory of 2396 3836 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe cmd.exe PID 2396 wrote to memory of 1888 2396 cmd.exe PING.EXE PID 2396 wrote to memory of 1888 2396 cmd.exe PING.EXE PID 2396 wrote to memory of 1888 2396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe"C:\Users\Admin\AppData\Local\Temp\07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
94c82bdccc265591a2276bdca85534c5
SHA16e61e0c9b2d9aec6497be3fbc32c40e338b46d39
SHA25691090e88ba3c65fdeaea020b986e0596eb82a293ce2d1230e30e1164ebb8cc24
SHA5128820c2fdf4722448b8898c5b1967b106da8c8f3ee00bae11057250cdb991be47f780177c0531826c61c39b052b24a35aa0da7404d68a08f26c8fd727e2451aa1
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
94c82bdccc265591a2276bdca85534c5
SHA16e61e0c9b2d9aec6497be3fbc32c40e338b46d39
SHA25691090e88ba3c65fdeaea020b986e0596eb82a293ce2d1230e30e1164ebb8cc24
SHA5128820c2fdf4722448b8898c5b1967b106da8c8f3ee00bae11057250cdb991be47f780177c0531826c61c39b052b24a35aa0da7404d68a08f26c8fd727e2451aa1
-
memory/3100-132-0x000002277DB80000-0x000002277DB90000-memory.dmpFilesize
64KB
-
memory/3100-133-0x000002277E360000-0x000002277E370000-memory.dmpFilesize
64KB
-
memory/3100-134-0x000002277EF60000-0x000002277EF64000-memory.dmpFilesize
16KB