Analysis
-
max time kernel
135s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:25
Static task
static1
Behavioral task
behavioral1
Sample
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe
Resource
win10v2004-en-20220113
General
-
Target
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe
-
Size
99KB
-
MD5
0760e1744a92bfaafd0b72c1f25c4319
-
SHA1
5c40873ad4beb4a06c9d57faf80b3da02c05e4f0
-
SHA256
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e
-
SHA512
755905e7c1d79e24a7384090b953bbf43f0c4c22c16a31685ee37ad447c0caa7beed65e4e016c217bfc26325bea967187b845fd7dc8cb6f6b9c3a242d87f7bf4
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1544 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1936 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe Token: SeShutdownPrivilege 3332 svchost.exe Token: SeCreatePagefilePrivilege 3332 svchost.exe Token: SeShutdownPrivilege 3332 svchost.exe Token: SeCreatePagefilePrivilege 3332 svchost.exe Token: SeShutdownPrivilege 3332 svchost.exe Token: SeCreatePagefilePrivilege 3332 svchost.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe Token: SeBackupPrivilege 1808 TiWorker.exe Token: SeRestorePrivilege 1808 TiWorker.exe Token: SeSecurityPrivilege 1808 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.execmd.exedescription pid process target process PID 1936 wrote to memory of 1544 1936 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe MediaCenter.exe PID 1936 wrote to memory of 1544 1936 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe MediaCenter.exe PID 1936 wrote to memory of 1544 1936 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe MediaCenter.exe PID 1936 wrote to memory of 4444 1936 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe cmd.exe PID 1936 wrote to memory of 4444 1936 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe cmd.exe PID 1936 wrote to memory of 4444 1936 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe cmd.exe PID 4444 wrote to memory of 3176 4444 cmd.exe PING.EXE PID 4444 wrote to memory of 3176 4444 cmd.exe PING.EXE PID 4444 wrote to memory of 3176 4444 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe"C:\Users\Admin\AppData\Local\Temp\0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
002ce592245a72c20cf5e79adefb8dfb
SHA1fbca6dfe2ccfaf06ca273bacbf1591e48c3f1133
SHA25625a4cd4d112c44faa04684b75519272293632988efc28d05c1e4fbd6cde1a87c
SHA5124c205eeec167329260f77c8bb83b3dabde5e687363ba07651c69d2a67b0148c67dab29d5dd59be86e6d2dcf81eab91b0ac47295450c39cb84f090d4d95cd9388
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
002ce592245a72c20cf5e79adefb8dfb
SHA1fbca6dfe2ccfaf06ca273bacbf1591e48c3f1133
SHA25625a4cd4d112c44faa04684b75519272293632988efc28d05c1e4fbd6cde1a87c
SHA5124c205eeec167329260f77c8bb83b3dabde5e687363ba07651c69d2a67b0148c67dab29d5dd59be86e6d2dcf81eab91b0ac47295450c39cb84f090d4d95cd9388
-
memory/3332-132-0x000002815C560000-0x000002815C570000-memory.dmpFilesize
64KB
-
memory/3332-133-0x000002815CCE0000-0x000002815CCF0000-memory.dmpFilesize
64KB
-
memory/3332-134-0x000002815F1A0000-0x000002815F1A4000-memory.dmpFilesize
16KB