Analysis
-
max time kernel
147s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:43
Static task
static1
Behavioral task
behavioral1
Sample
0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe
Resource
win10v2004-en-20220113
General
-
Target
0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe
-
Size
100KB
-
MD5
e95b7fd642503edd63568d8a122552e4
-
SHA1
627dcd8d09a461bdce72e5ab287d23714dad2cfa
-
SHA256
0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805
-
SHA512
59f02bb6e55a550922a0a0dcd417d3553131e13474701a45ea02bd9ea803a8ce06f27f18e8b077d732e550354f1034cf94c3dfdc703dfa483da738738e6e3181
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2376 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4648 0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe Token: SeShutdownPrivilege 1056 svchost.exe Token: SeCreatePagefilePrivilege 1056 svchost.exe Token: SeShutdownPrivilege 1056 svchost.exe Token: SeCreatePagefilePrivilege 1056 svchost.exe Token: SeShutdownPrivilege 1056 svchost.exe Token: SeCreatePagefilePrivilege 1056 svchost.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe Token: SeBackupPrivilege 3388 TiWorker.exe Token: SeRestorePrivilege 3388 TiWorker.exe Token: SeSecurityPrivilege 3388 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.execmd.exedescription pid process target process PID 4648 wrote to memory of 2376 4648 0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe MediaCenter.exe PID 4648 wrote to memory of 2376 4648 0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe MediaCenter.exe PID 4648 wrote to memory of 2376 4648 0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe MediaCenter.exe PID 4648 wrote to memory of 3600 4648 0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe cmd.exe PID 4648 wrote to memory of 3600 4648 0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe cmd.exe PID 4648 wrote to memory of 3600 4648 0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe cmd.exe PID 3600 wrote to memory of 3760 3600 cmd.exe PING.EXE PID 3600 wrote to memory of 3760 3600 cmd.exe PING.EXE PID 3600 wrote to memory of 3760 3600 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe"C:\Users\Admin\AppData\Local\Temp\0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0933e1eb8c1527c7ba38cb2d59a32399ca0e98c5fccf2a8325c4e7a73622b805.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3cac45a0038571931004d7ec1a0ced70
SHA14f14ca7e21cae162fa7a2c9891527e25b6ecea7b
SHA25647cca4eeff1812889e9bf317c319a8ea2d9a8fd398c516a884aeca0774f4ca86
SHA5124ebb49f3e5fbc6f7006b5497b2bfe0b650dd65b44c8235a3afa2222c4e944331f59e67cdc5fe998a5c160ed04888bce7972af68262ac344a32c8f971ab21164d
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3cac45a0038571931004d7ec1a0ced70
SHA14f14ca7e21cae162fa7a2c9891527e25b6ecea7b
SHA25647cca4eeff1812889e9bf317c319a8ea2d9a8fd398c516a884aeca0774f4ca86
SHA5124ebb49f3e5fbc6f7006b5497b2bfe0b650dd65b44c8235a3afa2222c4e944331f59e67cdc5fe998a5c160ed04888bce7972af68262ac344a32c8f971ab21164d
-
memory/1056-133-0x000001A128F60000-0x000001A128F70000-memory.dmpFilesize
64KB
-
memory/1056-132-0x000001A128790000-0x000001A1287A0000-memory.dmpFilesize
64KB
-
memory/1056-134-0x000001A12BB70000-0x000001A12BB74000-memory.dmpFilesize
16KB