Analysis
-
max time kernel
140s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:33
Static task
static1
Behavioral task
behavioral1
Sample
09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe
Resource
win10v2004-en-20220113
General
-
Target
09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe
-
Size
216KB
-
MD5
b4b5bd202a867b9d354c3371932ead7f
-
SHA1
2148265e821542a771dd8376d5bc19c29c6b4025
-
SHA256
09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b
-
SHA512
3e4c95bb8d0c045788385e0197e68347983720b4fc5a43f6a866e2b1fd11c44667019732e53e2b20fc7b0b0bed14b025aa78c137ef4ab743b4143adbca2e4a29
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4364-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4768-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4768 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4800 svchost.exe Token: SeCreatePagefilePrivilege 4800 svchost.exe Token: SeShutdownPrivilege 4800 svchost.exe Token: SeCreatePagefilePrivilege 4800 svchost.exe Token: SeShutdownPrivilege 4800 svchost.exe Token: SeCreatePagefilePrivilege 4800 svchost.exe Token: SeIncBasePriorityPrivilege 4364 09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe Token: SeBackupPrivilege 4812 TiWorker.exe Token: SeRestorePrivilege 4812 TiWorker.exe Token: SeSecurityPrivilege 4812 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.execmd.exedescription pid process target process PID 4364 wrote to memory of 4768 4364 09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe MediaCenter.exe PID 4364 wrote to memory of 4768 4364 09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe MediaCenter.exe PID 4364 wrote to memory of 4768 4364 09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe MediaCenter.exe PID 4364 wrote to memory of 3096 4364 09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe cmd.exe PID 4364 wrote to memory of 3096 4364 09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe cmd.exe PID 4364 wrote to memory of 3096 4364 09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe cmd.exe PID 3096 wrote to memory of 3376 3096 cmd.exe PING.EXE PID 3096 wrote to memory of 3376 3096 cmd.exe PING.EXE PID 3096 wrote to memory of 3376 3096 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe"C:\Users\Admin\AppData\Local\Temp\09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09ae0fcfc8b35017f3d36d61cb422a3444f8eb30eb3ae319c87baf9602dceb0b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9951aa51deec9661e77f007c1a88b5e9
SHA1074c8685a292fe505b78708753c7e753d44fd624
SHA256041afa949edc96c61a4c1059285eb6adc7f384de44c88547f43591885b1dac96
SHA512f3fece07dba1a07fe97a8101f1fa8a0f6143ae9b194477974ef89d8ab2dae2be1c1d17a17b0bce370df256ec84c06157aa8039f923f2bfed8c4637445787214c
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9951aa51deec9661e77f007c1a88b5e9
SHA1074c8685a292fe505b78708753c7e753d44fd624
SHA256041afa949edc96c61a4c1059285eb6adc7f384de44c88547f43591885b1dac96
SHA512f3fece07dba1a07fe97a8101f1fa8a0f6143ae9b194477974ef89d8ab2dae2be1c1d17a17b0bce370df256ec84c06157aa8039f923f2bfed8c4637445787214c
-
memory/4364-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4768-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4800-132-0x000002AC34D80000-0x000002AC34D90000-memory.dmpFilesize
64KB
-
memory/4800-133-0x000002AC35320000-0x000002AC35330000-memory.dmpFilesize
64KB
-
memory/4800-134-0x000002AC37A00000-0x000002AC37A04000-memory.dmpFilesize
16KB