Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:26
Static task
static1
Behavioral task
behavioral1
Sample
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe
Resource
win10v2004-en-20220113
General
-
Target
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe
-
Size
79KB
-
MD5
24f601d494ec38f0ada395f99249d05b
-
SHA1
e93e78d7a15d0d5572c53f41ca6a31b7df4f3ecf
-
SHA256
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f
-
SHA512
a5fedd7fe6377efc5c8078a843cf068f95ac367a725b6d590791f6a9539be1b8562fc74a8a976b3e41e224f7e118fbcb4f7f722088ab7937779a9ace134e3f3b
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4524 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1852 svchost.exe Token: SeCreatePagefilePrivilege 1852 svchost.exe Token: SeShutdownPrivilege 1852 svchost.exe Token: SeCreatePagefilePrivilege 1852 svchost.exe Token: SeShutdownPrivilege 1852 svchost.exe Token: SeCreatePagefilePrivilege 1852 svchost.exe Token: SeIncBasePriorityPrivilege 4976 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe Token: SeBackupPrivilege 4264 TiWorker.exe Token: SeRestorePrivilege 4264 TiWorker.exe Token: SeSecurityPrivilege 4264 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.execmd.exedescription pid process target process PID 4976 wrote to memory of 4524 4976 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe MediaCenter.exe PID 4976 wrote to memory of 4524 4976 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe MediaCenter.exe PID 4976 wrote to memory of 4524 4976 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe MediaCenter.exe PID 4976 wrote to memory of 2816 4976 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe cmd.exe PID 4976 wrote to memory of 2816 4976 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe cmd.exe PID 4976 wrote to memory of 2816 4976 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe cmd.exe PID 2816 wrote to memory of 1080 2816 cmd.exe PING.EXE PID 2816 wrote to memory of 1080 2816 cmd.exe PING.EXE PID 2816 wrote to memory of 1080 2816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe"C:\Users\Admin\AppData\Local\Temp\0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4264
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a3439a98f8c9c994df5d933930673292
SHA151271c98b0b9bb4d8fdf0208be5996498d4288bc
SHA2563cd41e4500d412b12b181efac5b3dd02c2d0cd9c21867320400253449e0469e8
SHA5121f0cd2b8bc170d49edbb1325eff833b3d1ee7464a669ee6c580e2877c73b5faafb149916c2b2b588636046ea4f1f55e5241ae9971935619698a3c104c42a41a3
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a3439a98f8c9c994df5d933930673292
SHA151271c98b0b9bb4d8fdf0208be5996498d4288bc
SHA2563cd41e4500d412b12b181efac5b3dd02c2d0cd9c21867320400253449e0469e8
SHA5121f0cd2b8bc170d49edbb1325eff833b3d1ee7464a669ee6c580e2877c73b5faafb149916c2b2b588636046ea4f1f55e5241ae9971935619698a3c104c42a41a3
-
memory/1852-132-0x0000025D30960000-0x0000025D30970000-memory.dmpFilesize
64KB
-
memory/1852-133-0x0000025D30F20000-0x0000025D30F30000-memory.dmpFilesize
64KB
-
memory/1852-134-0x0000025D335B0000-0x0000025D335B4000-memory.dmpFilesize
16KB