Analysis
-
max time kernel
131s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:29
Static task
static1
Behavioral task
behavioral1
Sample
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe
Resource
win10v2004-en-20220113
General
-
Target
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe
-
Size
99KB
-
MD5
7ae7dd73bf0d896d5536798a51d91366
-
SHA1
286cb6b952007c24f9cc0d7928987bc7a6972559
-
SHA256
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709
-
SHA512
0ff80e510a77a4af6b9478803a9fca50e46e896d25b1257f625b73d74fdee19eaa13089791ec6b79104a56a06944fc17b373b4d9b3b16224e14bd47fbac26435
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4128 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1836 svchost.exe Token: SeCreatePagefilePrivilege 1836 svchost.exe Token: SeShutdownPrivilege 1836 svchost.exe Token: SeCreatePagefilePrivilege 1836 svchost.exe Token: SeShutdownPrivilege 1836 svchost.exe Token: SeCreatePagefilePrivilege 1836 svchost.exe Token: SeIncBasePriorityPrivilege 4292 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe Token: SeBackupPrivilege 3652 TiWorker.exe Token: SeRestorePrivilege 3652 TiWorker.exe Token: SeSecurityPrivilege 3652 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.execmd.exedescription pid process target process PID 4292 wrote to memory of 4128 4292 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe MediaCenter.exe PID 4292 wrote to memory of 4128 4292 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe MediaCenter.exe PID 4292 wrote to memory of 4128 4292 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe MediaCenter.exe PID 4292 wrote to memory of 4448 4292 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe cmd.exe PID 4292 wrote to memory of 4448 4292 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe cmd.exe PID 4292 wrote to memory of 4448 4292 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe cmd.exe PID 4448 wrote to memory of 3104 4448 cmd.exe PING.EXE PID 4448 wrote to memory of 3104 4448 cmd.exe PING.EXE PID 4448 wrote to memory of 3104 4448 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe"C:\Users\Admin\AppData\Local\Temp\070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
eaa771e587276a4c4bb2586f141a43eb
SHA1a8b3395c56daf34715415e80f7ecd1c2afc1ba96
SHA2560add897bcd5a79d9641b691b9e8915418c88d9ad5cd004c39687af94eeecc07b
SHA512580a65a916d4cf0837047c4d824d277fae83de70e489bee2f0831de2d8bfef7103dcb66d6db116b1dfdfda73c6f891a499d9137e8713341a170004818985bde3
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
eaa771e587276a4c4bb2586f141a43eb
SHA1a8b3395c56daf34715415e80f7ecd1c2afc1ba96
SHA2560add897bcd5a79d9641b691b9e8915418c88d9ad5cd004c39687af94eeecc07b
SHA512580a65a916d4cf0837047c4d824d277fae83de70e489bee2f0831de2d8bfef7103dcb66d6db116b1dfdfda73c6f891a499d9137e8713341a170004818985bde3
-
memory/1836-133-0x000001FDF2180000-0x000001FDF2190000-memory.dmpFilesize
64KB
-
memory/1836-132-0x000001FDF2120000-0x000001FDF2130000-memory.dmpFilesize
64KB
-
memory/1836-134-0x000001FDF4860000-0x000001FDF4864000-memory.dmpFilesize
16KB