Analysis
-
max time kernel
133s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:34
Static task
static1
Behavioral task
behavioral1
Sample
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe
Resource
win10v2004-en-20220113
General
-
Target
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe
-
Size
99KB
-
MD5
85e6b105ed928568d652a411badd517a
-
SHA1
73545d58753259aa6c273c0cb328bde386285f98
-
SHA256
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4
-
SHA512
75e64be7a8d6f12b2063ecd1f39074cefe9931f421a542a6b77af9f16ee6399549b14ddf686d552ad9f43237aea17d6e0de50d457b966bd543b8acb871a0f34a
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3540 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3564 svchost.exe Token: SeCreatePagefilePrivilege 3564 svchost.exe Token: SeShutdownPrivilege 3564 svchost.exe Token: SeCreatePagefilePrivilege 3564 svchost.exe Token: SeShutdownPrivilege 3564 svchost.exe Token: SeCreatePagefilePrivilege 3564 svchost.exe Token: SeIncBasePriorityPrivilege 3976 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe Token: SeBackupPrivilege 2616 TiWorker.exe Token: SeRestorePrivilege 2616 TiWorker.exe Token: SeSecurityPrivilege 2616 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.execmd.exedescription pid process target process PID 3976 wrote to memory of 3540 3976 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe MediaCenter.exe PID 3976 wrote to memory of 3540 3976 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe MediaCenter.exe PID 3976 wrote to memory of 3540 3976 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe MediaCenter.exe PID 3976 wrote to memory of 2280 3976 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe cmd.exe PID 3976 wrote to memory of 2280 3976 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe cmd.exe PID 3976 wrote to memory of 2280 3976 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe cmd.exe PID 2280 wrote to memory of 4836 2280 cmd.exe PING.EXE PID 2280 wrote to memory of 4836 2280 cmd.exe PING.EXE PID 2280 wrote to memory of 4836 2280 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe"C:\Users\Admin\AppData\Local\Temp\09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
eae746783abd4f039b04034adbe1e698
SHA1fe060856a2dff43523223e729f20499d3e91bd6f
SHA25666b00dc1e466397137aef1fd3a90c0b36005a4352338d624ba87ec3496bf9725
SHA512d480f77aaf2cbbf62b2f835d9f4e8e7a6431fbd43078caf30846656e6aa95b50566af96d6a38c2495b83a0fff34bc6564ef5e97f1d9e850dff999803557e427d
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
eae746783abd4f039b04034adbe1e698
SHA1fe060856a2dff43523223e729f20499d3e91bd6f
SHA25666b00dc1e466397137aef1fd3a90c0b36005a4352338d624ba87ec3496bf9725
SHA512d480f77aaf2cbbf62b2f835d9f4e8e7a6431fbd43078caf30846656e6aa95b50566af96d6a38c2495b83a0fff34bc6564ef5e97f1d9e850dff999803557e427d
-
memory/3564-133-0x000001F525F40000-0x000001F525F50000-memory.dmpFilesize
64KB
-
memory/3564-134-0x000001F525FA0000-0x000001F525FB0000-memory.dmpFilesize
64KB
-
memory/3564-135-0x000001F528CC0000-0x000001F528CC4000-memory.dmpFilesize
16KB