Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:16
Static task
static1
Behavioral task
behavioral1
Sample
07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exe
Resource
win10v2004-en-20220113
General
-
Target
07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exe
-
Size
192KB
-
MD5
f599dcd61069136dd22681dd8224cfcc
-
SHA1
6c68720289f78169ac6b9146dc1c083df26c149f
-
SHA256
07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9
-
SHA512
62d89fbcdd7a3d1111175f400adda856f217aa6c4acb2ca85f1fc08c1e8f7eceaff24516f112a7d3cdc6fb78043d9fcaa6c0a593a5abffa90bcad4127542a34c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4460 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4740 svchost.exe Token: SeCreatePagefilePrivilege 4740 svchost.exe Token: SeShutdownPrivilege 4740 svchost.exe Token: SeCreatePagefilePrivilege 4740 svchost.exe Token: SeShutdownPrivilege 4740 svchost.exe Token: SeCreatePagefilePrivilege 4740 svchost.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.execmd.exedescription pid process target process PID 2668 wrote to memory of 4460 2668 07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exe MediaCenter.exe PID 2668 wrote to memory of 4460 2668 07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exe MediaCenter.exe PID 2668 wrote to memory of 4460 2668 07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exe MediaCenter.exe PID 2668 wrote to memory of 2252 2668 07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exe cmd.exe PID 2668 wrote to memory of 2252 2668 07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exe cmd.exe PID 2668 wrote to memory of 2252 2668 07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exe cmd.exe PID 2252 wrote to memory of 4928 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 4928 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 4928 2252 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exe"C:\Users\Admin\AppData\Local\Temp\07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07ae46c589157873d2af28597fc3b47d533b038dcf724050c5dc836abea3cbf9.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4300
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1a5fa33a82fbd15338726aab7fc28ba8
SHA1dfca4e1215145a1a290db68b173a201517be5fb2
SHA25633f0bd3742dbae31c842b85b1e9b99ef37b876de924911999a22c179bd3c151a
SHA512ea63339b1e626413ccd513474041172f58a3f6d6abcbf3ee64cca11e60a24212b5f71c22695c46bd3caf416e5a9f148e68d949bfe2ac13d12d7dc7e5c83d2384
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1a5fa33a82fbd15338726aab7fc28ba8
SHA1dfca4e1215145a1a290db68b173a201517be5fb2
SHA25633f0bd3742dbae31c842b85b1e9b99ef37b876de924911999a22c179bd3c151a
SHA512ea63339b1e626413ccd513474041172f58a3f6d6abcbf3ee64cca11e60a24212b5f71c22695c46bd3caf416e5a9f148e68d949bfe2ac13d12d7dc7e5c83d2384
-
memory/4740-132-0x000002BBB1730000-0x000002BBB1740000-memory.dmpFilesize
64KB
-
memory/4740-133-0x000002BBB1790000-0x000002BBB17A0000-memory.dmpFilesize
64KB
-
memory/4740-134-0x000002BBB44A0000-0x000002BBB44A4000-memory.dmpFilesize
16KB