Analysis
-
max time kernel
143s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:46
Static task
static1
Behavioral task
behavioral1
Sample
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe
Resource
win10v2004-en-20220113
General
-
Target
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe
-
Size
99KB
-
MD5
437ba52f4638aef000ee5027e6edf1ab
-
SHA1
c9835ba1565b1ee19f9cfb2cd674c9c5a1abe2fc
-
SHA256
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03
-
SHA512
06529d56b7e4311b31a60db428e4916b381bbebb079e30dc7ff4d3671024af07438214f6c4ea46c52ae45bc5ee2f0611fae13ae2d95dac14825cdae6f484371c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3392 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4720 svchost.exe Token: SeCreatePagefilePrivilege 4720 svchost.exe Token: SeShutdownPrivilege 4720 svchost.exe Token: SeCreatePagefilePrivilege 4720 svchost.exe Token: SeShutdownPrivilege 4720 svchost.exe Token: SeCreatePagefilePrivilege 4720 svchost.exe Token: SeIncBasePriorityPrivilege 4864 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe Token: SeBackupPrivilege 5040 TiWorker.exe Token: SeRestorePrivilege 5040 TiWorker.exe Token: SeSecurityPrivilege 5040 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.execmd.exedescription pid process target process PID 4864 wrote to memory of 3392 4864 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe MediaCenter.exe PID 4864 wrote to memory of 3392 4864 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe MediaCenter.exe PID 4864 wrote to memory of 3392 4864 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe MediaCenter.exe PID 4864 wrote to memory of 4616 4864 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe cmd.exe PID 4864 wrote to memory of 4616 4864 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe cmd.exe PID 4864 wrote to memory of 4616 4864 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe cmd.exe PID 4616 wrote to memory of 3244 4616 cmd.exe PING.EXE PID 4616 wrote to memory of 3244 4616 cmd.exe PING.EXE PID 4616 wrote to memory of 3244 4616 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe"C:\Users\Admin\AppData\Local\Temp\0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5afe07909f819b3708bfe131343adeee
SHA1bf196b6c1402217c47f0e88238860c20c6efdfd7
SHA2564e0afc8dbeb7f8179e0045ade509208b2b36c67a70ddd72c5e9ec2fc15c02b28
SHA5126ec80142b28af1c7dc9e89195569c3f81db6fc3058dcec10c981122099bedf81d98494a637950cb89f1c00719bc6307ebecf07f63d17cb680263639983f620f0
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5afe07909f819b3708bfe131343adeee
SHA1bf196b6c1402217c47f0e88238860c20c6efdfd7
SHA2564e0afc8dbeb7f8179e0045ade509208b2b36c67a70ddd72c5e9ec2fc15c02b28
SHA5126ec80142b28af1c7dc9e89195569c3f81db6fc3058dcec10c981122099bedf81d98494a637950cb89f1c00719bc6307ebecf07f63d17cb680263639983f620f0
-
memory/4720-132-0x00000219F1760000-0x00000219F1770000-memory.dmpFilesize
64KB
-
memory/4720-133-0x00000219F1D20000-0x00000219F1D30000-memory.dmpFilesize
64KB
-
memory/4720-134-0x00000219F4390000-0x00000219F4394000-memory.dmpFilesize
16KB