Analysis
-
max time kernel
154s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:30
Static task
static1
Behavioral task
behavioral1
Sample
06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe
Resource
win10v2004-en-20220113
General
-
Target
06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe
-
Size
92KB
-
MD5
c3bd1e32dea8240ceb09cd0ecbaa299a
-
SHA1
8dfc315a66d58470b4fc096574c250adc7703632
-
SHA256
06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d
-
SHA512
b4b8a98c8ef4cdaab1303ae3ee5c6808d839543f6762deb8afa4981ae752932fc07923edc399f6da665d4e0087ba795af300484cbf0028069d2af3f74f8154cf
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 532 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3964 svchost.exe Token: SeCreatePagefilePrivilege 3964 svchost.exe Token: SeShutdownPrivilege 3964 svchost.exe Token: SeCreatePagefilePrivilege 3964 svchost.exe Token: SeShutdownPrivilege 3964 svchost.exe Token: SeCreatePagefilePrivilege 3964 svchost.exe Token: SeIncBasePriorityPrivilege 1276 06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe Token: SeBackupPrivilege 1896 TiWorker.exe Token: SeRestorePrivilege 1896 TiWorker.exe Token: SeSecurityPrivilege 1896 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.execmd.exedescription pid process target process PID 1276 wrote to memory of 532 1276 06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe MediaCenter.exe PID 1276 wrote to memory of 532 1276 06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe MediaCenter.exe PID 1276 wrote to memory of 532 1276 06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe MediaCenter.exe PID 1276 wrote to memory of 1088 1276 06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe cmd.exe PID 1276 wrote to memory of 1088 1276 06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe cmd.exe PID 1276 wrote to memory of 1088 1276 06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe cmd.exe PID 1088 wrote to memory of 1344 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1344 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1344 1088 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe"C:\Users\Admin\AppData\Local\Temp\06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06fb5176b3f15def9ad5f57dced880f8a5447a6bf02c0505b91948c3d6aca18d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
790b3d38a8c373e58bc18e39e9a7a77a
SHA17534a69103802025d421b7b5bb6f362978f63777
SHA256fd03cc1e29b4b45ad187830a01a2958c6a6afc89b4809f4edff3f9db562a25d9
SHA5121f96cfcf506fcd63a28a448b42ec0b272499d5500fb1dc3e1fc97b3c7c4e99504455c89c603047e06b2647191495e15c1a6f2722b8b3fb91a5519dcb823db556
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
790b3d38a8c373e58bc18e39e9a7a77a
SHA17534a69103802025d421b7b5bb6f362978f63777
SHA256fd03cc1e29b4b45ad187830a01a2958c6a6afc89b4809f4edff3f9db562a25d9
SHA5121f96cfcf506fcd63a28a448b42ec0b272499d5500fb1dc3e1fc97b3c7c4e99504455c89c603047e06b2647191495e15c1a6f2722b8b3fb91a5519dcb823db556
-
memory/3964-132-0x0000016E0E420000-0x0000016E0E430000-memory.dmpFilesize
64KB
-
memory/3964-133-0x0000016E0E480000-0x0000016E0E490000-memory.dmpFilesize
64KB
-
memory/3964-134-0x0000016E10B50000-0x0000016E10B54000-memory.dmpFilesize
16KB