Analysis
-
max time kernel
132s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:29
Static task
static1
Behavioral task
behavioral1
Sample
0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exe
Resource
win10v2004-en-20220113
General
-
Target
0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exe
-
Size
192KB
-
MD5
1ba1c919a3dec5e12213a22d225d6d81
-
SHA1
9d37995f35fa24e868ac863399e06dc5dc7f98d0
-
SHA256
0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a
-
SHA512
629a23d013473cc89bd0a677f73a9eed36684ec8787a1a9474d7a96985df7820bf73cfe7eb839d881a638a5a48e161ba7c604bdd0e5aea0861af2da98a7972df
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4580 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2404 svchost.exe Token: SeCreatePagefilePrivilege 2404 svchost.exe Token: SeShutdownPrivilege 2404 svchost.exe Token: SeCreatePagefilePrivilege 2404 svchost.exe Token: SeShutdownPrivilege 2404 svchost.exe Token: SeCreatePagefilePrivilege 2404 svchost.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe Token: SeRestorePrivilege 4960 TiWorker.exe Token: SeSecurityPrivilege 4960 TiWorker.exe Token: SeBackupPrivilege 4960 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.execmd.exedescription pid process target process PID 3904 wrote to memory of 4580 3904 0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exe MediaCenter.exe PID 3904 wrote to memory of 4580 3904 0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exe MediaCenter.exe PID 3904 wrote to memory of 4580 3904 0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exe MediaCenter.exe PID 3904 wrote to memory of 2164 3904 0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exe cmd.exe PID 3904 wrote to memory of 2164 3904 0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exe cmd.exe PID 3904 wrote to memory of 2164 3904 0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exe cmd.exe PID 2164 wrote to memory of 3672 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 3672 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 3672 2164 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exe"C:\Users\Admin\AppData\Local\Temp\0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0710b6b9d03b25b32badd3b214d195e1780254e50b05e537194e506364da684a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
153ec236962c83dd507e2f6eeb1cf565
SHA1106ff756a0c24d83c6a8f6aa4e1e2e03a55624b5
SHA256d5fd3009015cbcc1567d8688a39dc9db7fb57617c4b1b9b211cff33befef65dc
SHA5122720ee77c9cb930d6d46cbb4d191c2bbc8b4b49bf308a998674ec3c71cc1ae0470eea7cb3568b42928fab25d5aa513fdf3efbbaff78981805bc9e4188fdbf233
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
153ec236962c83dd507e2f6eeb1cf565
SHA1106ff756a0c24d83c6a8f6aa4e1e2e03a55624b5
SHA256d5fd3009015cbcc1567d8688a39dc9db7fb57617c4b1b9b211cff33befef65dc
SHA5122720ee77c9cb930d6d46cbb4d191c2bbc8b4b49bf308a998674ec3c71cc1ae0470eea7cb3568b42928fab25d5aa513fdf3efbbaff78981805bc9e4188fdbf233
-
memory/2404-132-0x00000187F5970000-0x00000187F5980000-memory.dmpFilesize
64KB
-
memory/2404-133-0x00000187F6020000-0x00000187F6030000-memory.dmpFilesize
64KB
-
memory/2404-134-0x00000187F86F0000-0x00000187F86F4000-memory.dmpFilesize
16KB