Analysis
-
max time kernel
157s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:18
Static task
static1
Behavioral task
behavioral1
Sample
07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exe
Resource
win10v2004-en-20220113
General
-
Target
07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exe
-
Size
89KB
-
MD5
fac263bf397ebdf16e922a763f5e372e
-
SHA1
b7499e0d72e91a69008c8bd5fe8a292a59cabfb3
-
SHA256
07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf
-
SHA512
7fda852217510d3b0a258778daaad898494d7e563478fa5ba8fc2948c5a55d7fe9a75ea8e1bfa15f596b4885b71458f2286df87ed2ccba67e63d7717f9ce854c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1488 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3160 svchost.exe Token: SeCreatePagefilePrivilege 3160 svchost.exe Token: SeShutdownPrivilege 3160 svchost.exe Token: SeCreatePagefilePrivilege 3160 svchost.exe Token: SeShutdownPrivilege 3160 svchost.exe Token: SeCreatePagefilePrivilege 3160 svchost.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe Token: SeRestorePrivilege 2824 TiWorker.exe Token: SeSecurityPrivilege 2824 TiWorker.exe Token: SeBackupPrivilege 2824 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.execmd.exedescription pid process target process PID 3316 wrote to memory of 1488 3316 07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exe MediaCenter.exe PID 3316 wrote to memory of 1488 3316 07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exe MediaCenter.exe PID 3316 wrote to memory of 1488 3316 07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exe MediaCenter.exe PID 3316 wrote to memory of 4896 3316 07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exe cmd.exe PID 3316 wrote to memory of 4896 3316 07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exe cmd.exe PID 3316 wrote to memory of 4896 3316 07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exe cmd.exe PID 4896 wrote to memory of 972 4896 cmd.exe PING.EXE PID 4896 wrote to memory of 972 4896 cmd.exe PING.EXE PID 4896 wrote to memory of 972 4896 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exe"C:\Users\Admin\AppData\Local\Temp\07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07a16c6ffa9aa2ee78191217a9ef62bbf330326633be76aa80985f65143781bf.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
14f46c1d362307c78f6eedc34c86cf11
SHA1609930a34ab290413bb4c553abb7da12dce35073
SHA256c02be1c565e96b79feec1904411cd1181100f7ebfde5861860c724d95cdcade4
SHA512e7d64a97b8ee58a1f7d18abe533ad2b39722bd43b87b8509ab61e0e8865f9de805580faab7bbdd8850154703f5b77a04c14c08408a371b82ea585ff2c72751a0
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
14f46c1d362307c78f6eedc34c86cf11
SHA1609930a34ab290413bb4c553abb7da12dce35073
SHA256c02be1c565e96b79feec1904411cd1181100f7ebfde5861860c724d95cdcade4
SHA512e7d64a97b8ee58a1f7d18abe533ad2b39722bd43b87b8509ab61e0e8865f9de805580faab7bbdd8850154703f5b77a04c14c08408a371b82ea585ff2c72751a0
-
memory/3160-132-0x000001D536D40000-0x000001D536D50000-memory.dmpFilesize
64KB
-
memory/3160-133-0x000001D536DA0000-0x000001D536DB0000-memory.dmpFilesize
64KB
-
memory/3160-134-0x000001D539AC0000-0x000001D539AC4000-memory.dmpFilesize
16KB