Analysis
-
max time kernel
134s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:18
Static task
static1
Behavioral task
behavioral1
Sample
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe
Resource
win10v2004-en-20220113
General
-
Target
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe
-
Size
150KB
-
MD5
dc2c99c636960ebb884d75ac37c5028c
-
SHA1
e60348503792d9c4e5e4474f88d50f81b353650d
-
SHA256
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b
-
SHA512
f63ec438eb215e057540f37c1e92dd607ad8482d2b436ba2b4e5268af51af6fafe88d2a028482a3c10ab7a808952d905048881b965c0e34194cbdd9a77fd98e6
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1840 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4832 svchost.exe Token: SeCreatePagefilePrivilege 4832 svchost.exe Token: SeShutdownPrivilege 4832 svchost.exe Token: SeCreatePagefilePrivilege 4832 svchost.exe Token: SeShutdownPrivilege 4832 svchost.exe Token: SeCreatePagefilePrivilege 4832 svchost.exe Token: SeIncBasePriorityPrivilege 3708 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe Token: SeBackupPrivilege 1732 TiWorker.exe Token: SeRestorePrivilege 1732 TiWorker.exe Token: SeSecurityPrivilege 1732 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.execmd.exedescription pid process target process PID 3708 wrote to memory of 1840 3708 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe MediaCenter.exe PID 3708 wrote to memory of 1840 3708 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe MediaCenter.exe PID 3708 wrote to memory of 1840 3708 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe MediaCenter.exe PID 3708 wrote to memory of 1608 3708 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe cmd.exe PID 3708 wrote to memory of 1608 3708 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe cmd.exe PID 3708 wrote to memory of 1608 3708 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe cmd.exe PID 1608 wrote to memory of 2456 1608 cmd.exe PING.EXE PID 1608 wrote to memory of 2456 1608 cmd.exe PING.EXE PID 1608 wrote to memory of 2456 1608 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe"C:\Users\Admin\AppData\Local\Temp\07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1732
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9f7e9560a49c9a0e5eed4a79ef85fad4
SHA1f191e892bbefeb9f81206ee3c959b65660101cbf
SHA2568f06b1a39eace682aeab7d50f5b0839338244f416048a6e3688dbdd4fae4d249
SHA512f4e25c47a1ffc5cde8344f7bda9c1def8e7c7d356bdc4405675a974eebe5e1daf6fcf54360a042dc0a7c80d18d65dc8fbbab55b5cf2c4fba723cda89c1910361
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9f7e9560a49c9a0e5eed4a79ef85fad4
SHA1f191e892bbefeb9f81206ee3c959b65660101cbf
SHA2568f06b1a39eace682aeab7d50f5b0839338244f416048a6e3688dbdd4fae4d249
SHA512f4e25c47a1ffc5cde8344f7bda9c1def8e7c7d356bdc4405675a974eebe5e1daf6fcf54360a042dc0a7c80d18d65dc8fbbab55b5cf2c4fba723cda89c1910361
-
memory/4832-132-0x000001C87FE20000-0x000001C87FE30000-memory.dmpFilesize
64KB
-
memory/4832-133-0x000001C87FE80000-0x000001C87FE90000-memory.dmpFilesize
64KB
-
memory/4832-134-0x000001C802530000-0x000001C802534000-memory.dmpFilesize
16KB