Analysis
-
max time kernel
136s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:41
Static task
static1
Behavioral task
behavioral1
Sample
0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exe
Resource
win10v2004-en-20220113
General
-
Target
0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exe
-
Size
150KB
-
MD5
74724506d36be87c1dd96500b62b9bd6
-
SHA1
ed40350253515fb27af58a3b6e62736d0e956866
-
SHA256
0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a
-
SHA512
c1e3158ff189b80b4060c78ed48c93154277e16cf5fd1c16055c387c0193f5c607ac2e1d6881d16960fba00405499841f93dcf6aeb612b037abcdbaa25fdf8dd
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4608 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4496 svchost.exe Token: SeCreatePagefilePrivilege 4496 svchost.exe Token: SeShutdownPrivilege 4496 svchost.exe Token: SeCreatePagefilePrivilege 4496 svchost.exe Token: SeShutdownPrivilege 4496 svchost.exe Token: SeCreatePagefilePrivilege 4496 svchost.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe Token: SeRestorePrivilege 4292 TiWorker.exe Token: SeSecurityPrivilege 4292 TiWorker.exe Token: SeBackupPrivilege 4292 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.execmd.exedescription pid process target process PID 4336 wrote to memory of 4608 4336 0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exe MediaCenter.exe PID 4336 wrote to memory of 4608 4336 0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exe MediaCenter.exe PID 4336 wrote to memory of 4608 4336 0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exe MediaCenter.exe PID 4336 wrote to memory of 5116 4336 0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exe cmd.exe PID 4336 wrote to memory of 5116 4336 0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exe cmd.exe PID 4336 wrote to memory of 5116 4336 0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exe cmd.exe PID 5116 wrote to memory of 5112 5116 cmd.exe PING.EXE PID 5116 wrote to memory of 5112 5116 cmd.exe PING.EXE PID 5116 wrote to memory of 5112 5116 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exe"C:\Users\Admin\AppData\Local\Temp\0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0948544922490f804912b9be60ad94e7ccc73a301cdfd32dbcdbd29af013952a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4292
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f54e93ed00f0c758e87bdc5e3ca450ee
SHA1cb8ce8f0cb7319cacbc83b1c51b0f22d22a7da60
SHA2568ccef8658532d5bde06c58b95fde8a0934af5c0db127e882a042b16176750201
SHA5120fc6d503ea1219781863e9abda53269b92d8e5dae2bd1ae930794d3a7293406fdc572b8905df8f3ab5be6c158d9d6021e56692bb7c7cf431a8fdc6c932ace692
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f54e93ed00f0c758e87bdc5e3ca450ee
SHA1cb8ce8f0cb7319cacbc83b1c51b0f22d22a7da60
SHA2568ccef8658532d5bde06c58b95fde8a0934af5c0db127e882a042b16176750201
SHA5120fc6d503ea1219781863e9abda53269b92d8e5dae2bd1ae930794d3a7293406fdc572b8905df8f3ab5be6c158d9d6021e56692bb7c7cf431a8fdc6c932ace692
-
memory/4496-132-0x000002956C790000-0x000002956C7A0000-memory.dmpFilesize
64KB
-
memory/4496-133-0x000002956CF60000-0x000002956CF70000-memory.dmpFilesize
64KB
-
memory/4496-134-0x000002956FB70000-0x000002956FB74000-memory.dmpFilesize
16KB