Analysis
-
max time kernel
165s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:25
Static task
static1
Behavioral task
behavioral1
Sample
0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe
Resource
win10v2004-en-20220113
General
-
Target
0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe
-
Size
92KB
-
MD5
74217d8efee39f07b98658b66ce30bd1
-
SHA1
07dcbba190d1aeddcd8a7ca8e551b4fdc3dc99f1
-
SHA256
0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29
-
SHA512
9209c7fa8484f0cba6a22afef6f18044a6df356823c6a94e4b37e25f847d2d37a3fc1f21d5923f341879e15e57b09ba20274659e187b8317b97bf3b2a62135e3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1576 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exedescription pid process Token: SeShutdownPrivilege 3108 svchost.exe Token: SeCreatePagefilePrivilege 3108 svchost.exe Token: SeShutdownPrivilege 3108 svchost.exe Token: SeCreatePagefilePrivilege 3108 svchost.exe Token: SeShutdownPrivilege 3108 svchost.exe Token: SeCreatePagefilePrivilege 3108 svchost.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeIncBasePriorityPrivilege 548 0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe Token: SeBackupPrivilege 4428 TiWorker.exe Token: SeRestorePrivilege 4428 TiWorker.exe Token: SeSecurityPrivilege 4428 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.execmd.exedescription pid process target process PID 548 wrote to memory of 1576 548 0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe MediaCenter.exe PID 548 wrote to memory of 1576 548 0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe MediaCenter.exe PID 548 wrote to memory of 1576 548 0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe MediaCenter.exe PID 548 wrote to memory of 2512 548 0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe cmd.exe PID 548 wrote to memory of 2512 548 0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe cmd.exe PID 548 wrote to memory of 2512 548 0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe cmd.exe PID 2512 wrote to memory of 1708 2512 cmd.exe PING.EXE PID 2512 wrote to memory of 1708 2512 cmd.exe PING.EXE PID 2512 wrote to memory of 1708 2512 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe"C:\Users\Admin\AppData\Local\Temp\0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a2791ece9a850dfa8af624d3f9b59f16e4ecca3c7a461a2635031ad3b8a6a29.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
43a6cf4945d59b4cb28f5f096349b1d3
SHA1efd6463c75dce51c966c10d9030f3a3075c038a1
SHA256fbe7549d5f53abbf6139f14e302a968fe165fbb1d2f9c31e586d9efcd89b91de
SHA512a770ee81607381db6b4d440703b298bc50369846eff5c7bd7137e2e099a53c6610f1a78c799d7f0233bc9eef0d43521b752147bf69c839da0e5b0a76f59095e9
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
43a6cf4945d59b4cb28f5f096349b1d3
SHA1efd6463c75dce51c966c10d9030f3a3075c038a1
SHA256fbe7549d5f53abbf6139f14e302a968fe165fbb1d2f9c31e586d9efcd89b91de
SHA512a770ee81607381db6b4d440703b298bc50369846eff5c7bd7137e2e099a53c6610f1a78c799d7f0233bc9eef0d43521b752147bf69c839da0e5b0a76f59095e9
-
memory/3108-132-0x000001B206E20000-0x000001B206E30000-memory.dmpFilesize
64KB
-
memory/3108-133-0x000001B206E80000-0x000001B206E90000-memory.dmpFilesize
64KB
-
memory/3108-134-0x000001B209530000-0x000001B209534000-memory.dmpFilesize
16KB