Analysis
-
max time kernel
160s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:53
Static task
static1
Behavioral task
behavioral1
Sample
08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe
Resource
win10v2004-en-20220113
General
-
Target
08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe
-
Size
191KB
-
MD5
88e2e592b8a5cd874e062150eeaefc4f
-
SHA1
1d8296de3e548fc2ca79e7401193666e37ec2747
-
SHA256
08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6
-
SHA512
b12dfeb0370c0a9b69c97b120674e5bbc3112a92402d8c6e07c352014bf10e3ad8b479aa1e6e34ad13c7acc3ca6a2fe10a75d4613ec738ffd3ce0ee6f4b0e646
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2700 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3500 svchost.exe Token: SeCreatePagefilePrivilege 3500 svchost.exe Token: SeShutdownPrivilege 3500 svchost.exe Token: SeCreatePagefilePrivilege 3500 svchost.exe Token: SeShutdownPrivilege 3500 svchost.exe Token: SeCreatePagefilePrivilege 3500 svchost.exe Token: SeIncBasePriorityPrivilege 2116 08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe Token: SeBackupPrivilege 3396 TiWorker.exe Token: SeRestorePrivilege 3396 TiWorker.exe Token: SeSecurityPrivilege 3396 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.execmd.exedescription pid process target process PID 2116 wrote to memory of 2700 2116 08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe MediaCenter.exe PID 2116 wrote to memory of 2700 2116 08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe MediaCenter.exe PID 2116 wrote to memory of 2700 2116 08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe MediaCenter.exe PID 2116 wrote to memory of 336 2116 08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe cmd.exe PID 2116 wrote to memory of 336 2116 08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe cmd.exe PID 2116 wrote to memory of 336 2116 08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe cmd.exe PID 336 wrote to memory of 3372 336 cmd.exe PING.EXE PID 336 wrote to memory of 3372 336 cmd.exe PING.EXE PID 336 wrote to memory of 3372 336 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe"C:\Users\Admin\AppData\Local\Temp\08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08b2783602db3788d61a96535a4ab5b6ff48ff33c1de16a74ce71bbe06cc7eb6.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
17ac44a24701fb9513aeb50879cbe983
SHA1d56679341522862113251629484f243b1e9c7591
SHA25638af9730277990380a0892533c5d72294c4b8c7369ca80974a2ff387d54e1644
SHA5124f9198883ab157343301aace69b43ebf3902efbf509dbd9badb77826d486ad290be1b88b985aaf9817feaa5f2e33f591964991beb87c14875c60db95e2c193bf
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
17ac44a24701fb9513aeb50879cbe983
SHA1d56679341522862113251629484f243b1e9c7591
SHA25638af9730277990380a0892533c5d72294c4b8c7369ca80974a2ff387d54e1644
SHA5124f9198883ab157343301aace69b43ebf3902efbf509dbd9badb77826d486ad290be1b88b985aaf9817feaa5f2e33f591964991beb87c14875c60db95e2c193bf
-
memory/3500-133-0x0000024820190000-0x00000248201A0000-memory.dmpFilesize
64KB
-
memory/3500-134-0x0000024820820000-0x0000024820830000-memory.dmpFilesize
64KB
-
memory/3500-135-0x0000024822F10000-0x0000024822F14000-memory.dmpFilesize
16KB