Analysis
-
max time kernel
143s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:10
Static task
static1
Behavioral task
behavioral1
Sample
052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe
Resource
win10v2004-en-20220113
General
-
Target
052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe
-
Size
99KB
-
MD5
4ccc3f7c5dbb03a10d9e305ac34784b8
-
SHA1
eaf8f84094446fc06368baa2bde0d6386114eb60
-
SHA256
052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f
-
SHA512
884c62d7f4e6f854661699c3af3f52ddda2cc90283cc8871abf1d32736b9b7b6bd2dbea000a9b6ae38255b6acbd682e6d76d439da04a16cca1d7da2e1373e3cb
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4392 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1348 svchost.exe Token: SeCreatePagefilePrivilege 1348 svchost.exe Token: SeShutdownPrivilege 1348 svchost.exe Token: SeCreatePagefilePrivilege 1348 svchost.exe Token: SeShutdownPrivilege 1348 svchost.exe Token: SeCreatePagefilePrivilege 1348 svchost.exe Token: SeIncBasePriorityPrivilege 1860 052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe Token: SeBackupPrivilege 5088 TiWorker.exe Token: SeRestorePrivilege 5088 TiWorker.exe Token: SeSecurityPrivilege 5088 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.execmd.exedescription pid process target process PID 1860 wrote to memory of 4392 1860 052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe MediaCenter.exe PID 1860 wrote to memory of 4392 1860 052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe MediaCenter.exe PID 1860 wrote to memory of 4392 1860 052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe MediaCenter.exe PID 1860 wrote to memory of 3688 1860 052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe cmd.exe PID 1860 wrote to memory of 3688 1860 052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe cmd.exe PID 1860 wrote to memory of 3688 1860 052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe cmd.exe PID 3688 wrote to memory of 632 3688 cmd.exe PING.EXE PID 3688 wrote to memory of 632 3688 cmd.exe PING.EXE PID 3688 wrote to memory of 632 3688 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe"C:\Users\Admin\AppData\Local\Temp\052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\052646bd886c96b4d66a98fb4777898a73e3f2caea6cd0e5a1a59d199a9d407f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6fe97fe1a0817d602cafad16db17f0dc
SHA155d5e94b1d1e8e96adc9762ed95b176ccd89bc6b
SHA256fd25001ee9b4ebfc738b594e4ab2eaf0d85855c2eacdc40dca040180cb7e7027
SHA512e9d1a6a3d26e3a5e81df3cfaa210fcd0cda0d874c111b14afe18384bce7491deefda4f72335e3aac734ada777909de0e58c467d5c5fb11cf0e7adf4c36dee921
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6fe97fe1a0817d602cafad16db17f0dc
SHA155d5e94b1d1e8e96adc9762ed95b176ccd89bc6b
SHA256fd25001ee9b4ebfc738b594e4ab2eaf0d85855c2eacdc40dca040180cb7e7027
SHA512e9d1a6a3d26e3a5e81df3cfaa210fcd0cda0d874c111b14afe18384bce7491deefda4f72335e3aac734ada777909de0e58c467d5c5fb11cf0e7adf4c36dee921
-
memory/1348-132-0x00000229FD330000-0x00000229FD340000-memory.dmpFilesize
64KB
-
memory/1348-133-0x00000229FD390000-0x00000229FD3A0000-memory.dmpFilesize
64KB
-
memory/1348-134-0x00000229800D0000-0x00000229800D4000-memory.dmpFilesize
16KB