Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:22
Static task
static1
Behavioral task
behavioral1
Sample
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe
Resource
win10v2004-en-20220113
General
-
Target
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe
-
Size
216KB
-
MD5
31313ea53bdda3f94de8047663d5d404
-
SHA1
d46b0650e2e74a8cce92de37d9981964459b152d
-
SHA256
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1
-
SHA512
79a719a05ef29a35d99625c94b0b33b92c764d094b725e278f282d9a742f12160c931b006d5fba5c19ecebfa485cad09a4a2ac681b1ccb1ca35ab642de574c56
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/5092-138-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1480-139-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1480 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4860 svchost.exe Token: SeCreatePagefilePrivilege 4860 svchost.exe Token: SeShutdownPrivilege 4860 svchost.exe Token: SeCreatePagefilePrivilege 4860 svchost.exe Token: SeShutdownPrivilege 4860 svchost.exe Token: SeCreatePagefilePrivilege 4860 svchost.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe Token: SeRestorePrivilege 2888 TiWorker.exe Token: SeSecurityPrivilege 2888 TiWorker.exe Token: SeBackupPrivilege 2888 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.execmd.exedescription pid process target process PID 5092 wrote to memory of 1480 5092 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe MediaCenter.exe PID 5092 wrote to memory of 1480 5092 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe MediaCenter.exe PID 5092 wrote to memory of 1480 5092 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe MediaCenter.exe PID 5092 wrote to memory of 4516 5092 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe cmd.exe PID 5092 wrote to memory of 4516 5092 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe cmd.exe PID 5092 wrote to memory of 4516 5092 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe cmd.exe PID 4516 wrote to memory of 4300 4516 cmd.exe PING.EXE PID 4516 wrote to memory of 4300 4516 cmd.exe PING.EXE PID 4516 wrote to memory of 4300 4516 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe"C:\Users\Admin\AppData\Local\Temp\0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2888
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f926fa94e7c594525f691f44dc4e480f
SHA184b6e4b8ce64c874f1ac8b282bed989b8fa1e450
SHA2569358411f22bf0be6efe456ec76b9458396b48e0aac80533558419a6ca34ae87f
SHA51246a0c017963d69e9f2f69b6e04ac2a6e07f44ea2e4211e34e35f12af551d4a34fa77acf31a30f6f6f29759c056f99ee7a724fde581e74a2385834038c43965a6
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f926fa94e7c594525f691f44dc4e480f
SHA184b6e4b8ce64c874f1ac8b282bed989b8fa1e450
SHA2569358411f22bf0be6efe456ec76b9458396b48e0aac80533558419a6ca34ae87f
SHA51246a0c017963d69e9f2f69b6e04ac2a6e07f44ea2e4211e34e35f12af551d4a34fa77acf31a30f6f6f29759c056f99ee7a724fde581e74a2385834038c43965a6
-
memory/1480-139-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4860-135-0x000002A894960000-0x000002A894970000-memory.dmpFilesize
64KB
-
memory/4860-136-0x000002A894F20000-0x000002A894F30000-memory.dmpFilesize
64KB
-
memory/4860-137-0x000002A8975B0000-0x000002A8975B4000-memory.dmpFilesize
16KB
-
memory/5092-138-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB