Analysis
-
max time kernel
161s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:47
Static task
static1
Behavioral task
behavioral1
Sample
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe
Resource
win10v2004-en-20220113
General
-
Target
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe
-
Size
84KB
-
MD5
e955f6d624d65c0d2f6f928e2377a851
-
SHA1
665338918e48673a29e19f7ec4509ff09653da5f
-
SHA256
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3
-
SHA512
1f786ecacc514c81b725387f90b1d43bd49746880aeaf14b71c5f6ba3f02dba260c17f1328c9ae37708a2112cc3b78b4b9c0cd72ccf6afadfd48a65e479b21f1
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4000 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3280 svchost.exe Token: SeCreatePagefilePrivilege 3280 svchost.exe Token: SeShutdownPrivilege 3280 svchost.exe Token: SeCreatePagefilePrivilege 3280 svchost.exe Token: SeShutdownPrivilege 3280 svchost.exe Token: SeCreatePagefilePrivilege 3280 svchost.exe Token: SeIncBasePriorityPrivilege 1852 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe Token: SeBackupPrivilege 3032 TiWorker.exe Token: SeRestorePrivilege 3032 TiWorker.exe Token: SeSecurityPrivilege 3032 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.execmd.exedescription pid process target process PID 1852 wrote to memory of 4000 1852 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe MediaCenter.exe PID 1852 wrote to memory of 4000 1852 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe MediaCenter.exe PID 1852 wrote to memory of 4000 1852 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe MediaCenter.exe PID 1852 wrote to memory of 620 1852 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe cmd.exe PID 1852 wrote to memory of 620 1852 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe cmd.exe PID 1852 wrote to memory of 620 1852 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe cmd.exe PID 620 wrote to memory of 4044 620 cmd.exe PING.EXE PID 620 wrote to memory of 4044 620 cmd.exe PING.EXE PID 620 wrote to memory of 4044 620 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe"C:\Users\Admin\AppData\Local\Temp\0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
49687afcbb8b5ecee9cf2533f67a8de7
SHA1c18001f25d2b63bfdd54e563051cfb7510140439
SHA256952920a4c0e77f650b0b63f46a91b870841934345fd84802805ae3563e23d3b0
SHA5129f7a91960d25e590bfc16fe1b1e25470ead302ebea62fe8886b51fe71d7452be56ff94a6e6c610f2b321d84bd280589f3b197ef1c1cc747cfc2a61eecbf28619
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
49687afcbb8b5ecee9cf2533f67a8de7
SHA1c18001f25d2b63bfdd54e563051cfb7510140439
SHA256952920a4c0e77f650b0b63f46a91b870841934345fd84802805ae3563e23d3b0
SHA5129f7a91960d25e590bfc16fe1b1e25470ead302ebea62fe8886b51fe71d7452be56ff94a6e6c610f2b321d84bd280589f3b197ef1c1cc747cfc2a61eecbf28619
-
memory/3280-135-0x000001B9A3990000-0x000001B9A39A0000-memory.dmpFilesize
64KB
-
memory/3280-136-0x000001B9A4160000-0x000001B9A4170000-memory.dmpFilesize
64KB
-
memory/3280-137-0x000001B9A6D70000-0x000001B9A6D74000-memory.dmpFilesize
16KB