Analysis
-
max time kernel
141s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:34
Static task
static1
Behavioral task
behavioral1
Sample
09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exe
Resource
win10v2004-en-20220113
General
-
Target
09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exe
-
Size
92KB
-
MD5
d9f2ecaa0fffd18cc055e3320acd0390
-
SHA1
fcb867bfcd5d9ab237639696c98af12c4890e7b3
-
SHA256
09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea
-
SHA512
bf2cfa540ff12c580c04ece5ca7062b394c1745b4e897e22e38aa16b65e6a976f26e6be4cc3ab8d912abbee854eec93baca8f872a3b6998854b58aac24867f8c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4600 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4272 svchost.exe Token: SeCreatePagefilePrivilege 4272 svchost.exe Token: SeShutdownPrivilege 4272 svchost.exe Token: SeCreatePagefilePrivilege 4272 svchost.exe Token: SeShutdownPrivilege 4272 svchost.exe Token: SeCreatePagefilePrivilege 4272 svchost.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe Token: SeRestorePrivilege 3468 TiWorker.exe Token: SeSecurityPrivilege 3468 TiWorker.exe Token: SeBackupPrivilege 3468 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.execmd.exedescription pid process target process PID 3088 wrote to memory of 4600 3088 09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exe MediaCenter.exe PID 3088 wrote to memory of 4600 3088 09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exe MediaCenter.exe PID 3088 wrote to memory of 4600 3088 09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exe MediaCenter.exe PID 3088 wrote to memory of 484 3088 09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exe cmd.exe PID 3088 wrote to memory of 484 3088 09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exe cmd.exe PID 3088 wrote to memory of 484 3088 09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exe cmd.exe PID 484 wrote to memory of 4456 484 cmd.exe PING.EXE PID 484 wrote to memory of 4456 484 cmd.exe PING.EXE PID 484 wrote to memory of 4456 484 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exe"C:\Users\Admin\AppData\Local\Temp\09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09ad01fb43edd88dbb149be3c207fc8a32d2c97ae7cbaebcbe60e4292a4648ea.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
63e39d23c4dba94629c593d71a1d08a8
SHA1687d6b136feabfc019bcfb829a4a59bea7302389
SHA256c54fb97ad5f74d433d76ac6b04eeb2eacbc3e7cf8ff1b72905404f60216b9abb
SHA51218cc8195135442d6ddbd62dab2575bb0bb66469086c3db5ecc1ad54f24aa1ba64f360e3b070e2179a2cebd2866ad9ede1973efac01f13d945821920c513da394
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
63e39d23c4dba94629c593d71a1d08a8
SHA1687d6b136feabfc019bcfb829a4a59bea7302389
SHA256c54fb97ad5f74d433d76ac6b04eeb2eacbc3e7cf8ff1b72905404f60216b9abb
SHA51218cc8195135442d6ddbd62dab2575bb0bb66469086c3db5ecc1ad54f24aa1ba64f360e3b070e2179a2cebd2866ad9ede1973efac01f13d945821920c513da394
-
memory/4272-132-0x00000189C0560000-0x00000189C0570000-memory.dmpFilesize
64KB
-
memory/4272-133-0x00000189C0B20000-0x00000189C0B30000-memory.dmpFilesize
64KB
-
memory/4272-134-0x00000189C3190000-0x00000189C3194000-memory.dmpFilesize
16KB