Analysis
-
max time kernel
161s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:56
Static task
static1
Behavioral task
behavioral1
Sample
05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe
Resource
win10v2004-en-20220113
General
-
Target
05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe
-
Size
191KB
-
MD5
cb7912d0ba73a0db67f06935fe84cc69
-
SHA1
fdb3263bdc1f8428983d68714f93e4ec649da7a3
-
SHA256
05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5
-
SHA512
5ee2e79b6165e25d780407727e16e788485f7d6d88fe697bb8fc6f104bad6148afd8c1d4df0e1f89c6171f7727b64829286a232a76ba926fd165108802a52e09
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1604 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3628 05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe Token: SeShutdownPrivilege 3692 svchost.exe Token: SeCreatePagefilePrivilege 3692 svchost.exe Token: SeShutdownPrivilege 3692 svchost.exe Token: SeCreatePagefilePrivilege 3692 svchost.exe Token: SeShutdownPrivilege 3692 svchost.exe Token: SeCreatePagefilePrivilege 3692 svchost.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe Token: SeBackupPrivilege 1440 TiWorker.exe Token: SeRestorePrivilege 1440 TiWorker.exe Token: SeSecurityPrivilege 1440 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.execmd.exedescription pid process target process PID 3628 wrote to memory of 1604 3628 05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe MediaCenter.exe PID 3628 wrote to memory of 1604 3628 05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe MediaCenter.exe PID 3628 wrote to memory of 1604 3628 05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe MediaCenter.exe PID 3628 wrote to memory of 4484 3628 05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe cmd.exe PID 3628 wrote to memory of 4484 3628 05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe cmd.exe PID 3628 wrote to memory of 4484 3628 05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe cmd.exe PID 4484 wrote to memory of 4524 4484 cmd.exe PING.EXE PID 4484 wrote to memory of 4524 4484 cmd.exe PING.EXE PID 4484 wrote to memory of 4524 4484 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe"C:\Users\Admin\AppData\Local\Temp\05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05b822600da280dc6f936c67dbf3dad848ea4721947a6e9e7db3acf712294ae5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3d0aca7419edfa0023826a735bc79f64
SHA1b5f00643c9372f54f2264ea07e0a6b5d83d34881
SHA256ee7715b506198b82398f2edf12f366ce4f4f33e7aca4abd8f618523928a5450c
SHA512113c3cf0e94e889745f095e4f5cb05ea2263e2e10821def5031af08e15fbb27015ea221db7b9c24d1c766e685aa2c060343a1461d2644b92265361cce4bd8474
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3d0aca7419edfa0023826a735bc79f64
SHA1b5f00643c9372f54f2264ea07e0a6b5d83d34881
SHA256ee7715b506198b82398f2edf12f366ce4f4f33e7aca4abd8f618523928a5450c
SHA512113c3cf0e94e889745f095e4f5cb05ea2263e2e10821def5031af08e15fbb27015ea221db7b9c24d1c766e685aa2c060343a1461d2644b92265361cce4bd8474
-
memory/3692-132-0x000001CC31A70000-0x000001CC31A80000-memory.dmpFilesize
64KB
-
memory/3692-133-0x000001CC31AD0000-0x000001CC31AE0000-memory.dmpFilesize
64KB
-
memory/3692-134-0x000001CC341A0000-0x000001CC341A4000-memory.dmpFilesize
16KB