Analysis
-
max time kernel
168s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 09:58
Static task
static1
Behavioral task
behavioral1
Sample
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe
Resource
win10v2004-en-20220113
General
-
Target
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe
-
Size
80KB
-
MD5
7235ec89866cbe366bbd311b3f6b42e1
-
SHA1
3a723e25a2e21119d9eadbeff63f0e2f49cafd1a
-
SHA256
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419
-
SHA512
39eafb2011d27f6cb9cba0224844f1aeae8f3e26f2585474e393476a8e04af9feba81e021ad4109b9548b036fdf3c02e07cb779da873da4af23e9edf7f6e6a86
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2848 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exedescription pid process Token: SeShutdownPrivilege 4988 svchost.exe Token: SeCreatePagefilePrivilege 4988 svchost.exe Token: SeShutdownPrivilege 4988 svchost.exe Token: SeCreatePagefilePrivilege 4988 svchost.exe Token: SeShutdownPrivilege 4988 svchost.exe Token: SeCreatePagefilePrivilege 4988 svchost.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeIncBasePriorityPrivilege 3504 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe Token: SeBackupPrivilege 4824 TiWorker.exe Token: SeRestorePrivilege 4824 TiWorker.exe Token: SeSecurityPrivilege 4824 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.execmd.exedescription pid process target process PID 3504 wrote to memory of 2848 3504 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe MediaCenter.exe PID 3504 wrote to memory of 2848 3504 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe MediaCenter.exe PID 3504 wrote to memory of 2848 3504 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe MediaCenter.exe PID 3504 wrote to memory of 1352 3504 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe cmd.exe PID 3504 wrote to memory of 1352 3504 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe cmd.exe PID 3504 wrote to memory of 1352 3504 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe cmd.exe PID 1352 wrote to memory of 4032 1352 cmd.exe PING.EXE PID 1352 wrote to memory of 4032 1352 cmd.exe PING.EXE PID 1352 wrote to memory of 4032 1352 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe"C:\Users\Admin\AppData\Local\Temp\087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8138ea1239dab842cb6586c051bb1fa8
SHA1da3e69bce160aca92fe074771ab685a3ccaa2b64
SHA25649a4019228a95aac956f368e45b54789d19b13df1494a69e68cee5430132e9a9
SHA512d29599dba17ed9def0cc243eceed2c160e26df71b751057c94c19ceb1e501319fb9bc7359385d63d195c161812ccf7f71466ae22bd5fe6a2dd5a41d917041328
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8138ea1239dab842cb6586c051bb1fa8
SHA1da3e69bce160aca92fe074771ab685a3ccaa2b64
SHA25649a4019228a95aac956f368e45b54789d19b13df1494a69e68cee5430132e9a9
SHA512d29599dba17ed9def0cc243eceed2c160e26df71b751057c94c19ceb1e501319fb9bc7359385d63d195c161812ccf7f71466ae22bd5fe6a2dd5a41d917041328
-
memory/4988-133-0x0000023750320000-0x0000023750330000-memory.dmpFilesize
64KB
-
memory/4988-132-0x000002374FDA0000-0x000002374FDB0000-memory.dmpFilesize
64KB
-
memory/4988-134-0x0000023752A20000-0x0000023752A24000-memory.dmpFilesize
16KB