Analysis
-
max time kernel
151s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:56
Static task
static1
Behavioral task
behavioral1
Sample
088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe
Resource
win10v2004-en-20220113
General
-
Target
088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe
-
Size
89KB
-
MD5
457bed32aa527a267118eeb0c343744b
-
SHA1
84c7d714914b31ccf49245829e7eb76d1447c07d
-
SHA256
088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826
-
SHA512
2d5b78657ea969ef25be149e09e533b9834e8a3d48ee2109b79beab5490638fe6647151b68ec5da8a9b2622750efd01e4e4612fe4a845b18c302a72770376600
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 752 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exedescription pid process Token: SeShutdownPrivilege 2996 svchost.exe Token: SeCreatePagefilePrivilege 2996 svchost.exe Token: SeShutdownPrivilege 2996 svchost.exe Token: SeCreatePagefilePrivilege 2996 svchost.exe Token: SeShutdownPrivilege 2996 svchost.exe Token: SeCreatePagefilePrivilege 2996 svchost.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeIncBasePriorityPrivilege 4536 088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe Token: SeBackupPrivilege 4388 TiWorker.exe Token: SeRestorePrivilege 4388 TiWorker.exe Token: SeSecurityPrivilege 4388 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.execmd.exedescription pid process target process PID 4536 wrote to memory of 752 4536 088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe MediaCenter.exe PID 4536 wrote to memory of 752 4536 088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe MediaCenter.exe PID 4536 wrote to memory of 752 4536 088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe MediaCenter.exe PID 4536 wrote to memory of 2172 4536 088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe cmd.exe PID 4536 wrote to memory of 2172 4536 088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe cmd.exe PID 4536 wrote to memory of 2172 4536 088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe cmd.exe PID 2172 wrote to memory of 5104 2172 cmd.exe PING.EXE PID 2172 wrote to memory of 5104 2172 cmd.exe PING.EXE PID 2172 wrote to memory of 5104 2172 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe"C:\Users\Admin\AppData\Local\Temp\088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\088bfd2fc2626e8782648a4a07d5ae45f86b6f3640a4f0e18cb84f5c3b95b826.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d8e589fa4d75032d3558628aa9345d7e
SHA167526bfb7c786cdf7492b4f1c4fbc779f20f2241
SHA256b9982890e4e51ad92897217e61b02af298105519df2cfba0c55edb30a5a3f6cb
SHA512cb3dd8165eda2f9838c34020c6e32ba6d77189fdcf872355359af07a1ecb710e0332bcb9756fb1287d27e100cf1b834c30b5519ea02f67027585a9826a41c4b8
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d8e589fa4d75032d3558628aa9345d7e
SHA167526bfb7c786cdf7492b4f1c4fbc779f20f2241
SHA256b9982890e4e51ad92897217e61b02af298105519df2cfba0c55edb30a5a3f6cb
SHA512cb3dd8165eda2f9838c34020c6e32ba6d77189fdcf872355359af07a1ecb710e0332bcb9756fb1287d27e100cf1b834c30b5519ea02f67027585a9826a41c4b8
-
memory/2996-132-0x00000266F6530000-0x00000266F6540000-memory.dmpFilesize
64KB
-
memory/2996-133-0x00000266F6590000-0x00000266F65A0000-memory.dmpFilesize
64KB
-
memory/2996-134-0x00000266F9290000-0x00000266F9294000-memory.dmpFilesize
16KB