Analysis
-
max time kernel
157s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:52
Static task
static1
Behavioral task
behavioral1
Sample
08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe
Resource
win10v2004-en-20220113
General
-
Target
08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe
-
Size
99KB
-
MD5
4fd542bb9774591ac05b8435ce73b3ae
-
SHA1
b8c23cd624fe7dd0ce59cbbaedc6b4fe53acde00
-
SHA256
08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7
-
SHA512
2b3cc3993a2fbcd7762ca80a16db8600a2e71e8f7e835d88a20e4764935e218bc92cd220620e3af30cf9b3b9c19766e4baf0b823a6019ed7617498709353489b
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4384 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exedescription pid process Token: SeShutdownPrivilege 4544 svchost.exe Token: SeCreatePagefilePrivilege 4544 svchost.exe Token: SeShutdownPrivilege 4544 svchost.exe Token: SeCreatePagefilePrivilege 4544 svchost.exe Token: SeShutdownPrivilege 4544 svchost.exe Token: SeCreatePagefilePrivilege 4544 svchost.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeIncBasePriorityPrivilege 3292 08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.execmd.exedescription pid process target process PID 3292 wrote to memory of 4384 3292 08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe MediaCenter.exe PID 3292 wrote to memory of 4384 3292 08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe MediaCenter.exe PID 3292 wrote to memory of 4384 3292 08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe MediaCenter.exe PID 3292 wrote to memory of 2524 3292 08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe cmd.exe PID 3292 wrote to memory of 2524 3292 08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe cmd.exe PID 3292 wrote to memory of 2524 3292 08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe cmd.exe PID 2524 wrote to memory of 1512 2524 cmd.exe PING.EXE PID 2524 wrote to memory of 1512 2524 cmd.exe PING.EXE PID 2524 wrote to memory of 1512 2524 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe"C:\Users\Admin\AppData\Local\Temp\08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08c96829d19568060eb27c8828c4dc6143f63326f9bf397d3d57ccc91341adb7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d034ce086127abe452b9aa2a2178df26
SHA1fe83b0a36d07075a33df031f1b68c125f7ffdd38
SHA256ca517e195e94f68ec8cccd6c81c42999f807cdbeeb13a787a0aaee09f94c3c46
SHA5125749e5248c349df95c30c601a9464f5f23fbf47934ff4074ad5b685bbc8d2530ecbe4f5d4d4806448c570bc722e36a67bd7533256682381832599c89227373e2
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d034ce086127abe452b9aa2a2178df26
SHA1fe83b0a36d07075a33df031f1b68c125f7ffdd38
SHA256ca517e195e94f68ec8cccd6c81c42999f807cdbeeb13a787a0aaee09f94c3c46
SHA5125749e5248c349df95c30c601a9464f5f23fbf47934ff4074ad5b685bbc8d2530ecbe4f5d4d4806448c570bc722e36a67bd7533256682381832599c89227373e2
-
memory/4544-132-0x000001FAACD90000-0x000001FAACDA0000-memory.dmpFilesize
64KB
-
memory/4544-133-0x000001FAAD560000-0x000001FAAD570000-memory.dmpFilesize
64KB
-
memory/4544-134-0x000001FAB0170000-0x000001FAB0174000-memory.dmpFilesize
16KB