Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:37
Static task
static1
Behavioral task
behavioral1
Sample
097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe
Resource
win10v2004-en-20220113
General
-
Target
097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe
-
Size
99KB
-
MD5
646ac3230a8cccfcb5820b623cfab2a5
-
SHA1
4c966ba5e0965d081d398fc5035669d658a44d64
-
SHA256
097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2
-
SHA512
84d61d5bc39d3d09db7ae5da79856ea6cde1675b7ad8f624575c89dad83cf499142f50c0dcc0364785058bc9b38b640bee394214a8942d95aa14d849326486bf
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3624 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exedescription pid process Token: SeShutdownPrivilege 4800 svchost.exe Token: SeCreatePagefilePrivilege 4800 svchost.exe Token: SeShutdownPrivilege 4800 svchost.exe Token: SeCreatePagefilePrivilege 4800 svchost.exe Token: SeShutdownPrivilege 4800 svchost.exe Token: SeCreatePagefilePrivilege 4800 svchost.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeIncBasePriorityPrivilege 3500 097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.execmd.exedescription pid process target process PID 3500 wrote to memory of 3624 3500 097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe MediaCenter.exe PID 3500 wrote to memory of 3624 3500 097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe MediaCenter.exe PID 3500 wrote to memory of 3624 3500 097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe MediaCenter.exe PID 3500 wrote to memory of 2564 3500 097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe cmd.exe PID 3500 wrote to memory of 2564 3500 097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe cmd.exe PID 3500 wrote to memory of 2564 3500 097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe cmd.exe PID 2564 wrote to memory of 1088 2564 cmd.exe PING.EXE PID 2564 wrote to memory of 1088 2564 cmd.exe PING.EXE PID 2564 wrote to memory of 1088 2564 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe"C:\Users\Admin\AppData\Local\Temp\097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\097a20a27c7283a4d270dae11e52f3f78c6b4af3f9949aeb6ab105d66b8763d2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
279c1a14fb2fc1a0f159294d81fed3e2
SHA1fa2694c54ad2a20f48d21894d86c26a222e037e2
SHA2563110bc2037f414e41802d943327a5733d5df6cefa0d0e4280639ff6e7add4001
SHA51215fae734c70042328522a320f3de82508aad821cbec516bb12a46fa224d4ad5134ae79cea904cde41c999c6df8f8f3b07bf859a37b345fa45ac0917e3f83effe
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
279c1a14fb2fc1a0f159294d81fed3e2
SHA1fa2694c54ad2a20f48d21894d86c26a222e037e2
SHA2563110bc2037f414e41802d943327a5733d5df6cefa0d0e4280639ff6e7add4001
SHA51215fae734c70042328522a320f3de82508aad821cbec516bb12a46fa224d4ad5134ae79cea904cde41c999c6df8f8f3b07bf859a37b345fa45ac0917e3f83effe
-
memory/4800-132-0x000001F50F5A0000-0x000001F50F5B0000-memory.dmpFilesize
64KB
-
memory/4800-133-0x000001F50FD60000-0x000001F50FD70000-memory.dmpFilesize
64KB
-
memory/4800-134-0x000001F512980000-0x000001F512984000-memory.dmpFilesize
16KB