Analysis
-
max time kernel
138s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:37
Static task
static1
Behavioral task
behavioral1
Sample
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe
Resource
win10v2004-en-20220113
General
-
Target
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe
-
Size
108KB
-
MD5
cea627589a0385370789953ff8a9d341
-
SHA1
9f75c2713786b030cb083bfa37af8a7ed7f90457
-
SHA256
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345
-
SHA512
f19497b97d4d7c675672daa2ad7d5cd44730936606b93a2ae897d724611aa4464eaaeab14656566fb9f0d27efd60f6810542e72d0b0eb5426d2cd9bcc9cefa83
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 840 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2508 svchost.exe Token: SeCreatePagefilePrivilege 2508 svchost.exe Token: SeShutdownPrivilege 2508 svchost.exe Token: SeCreatePagefilePrivilege 2508 svchost.exe Token: SeShutdownPrivilege 2508 svchost.exe Token: SeCreatePagefilePrivilege 2508 svchost.exe Token: SeIncBasePriorityPrivilege 4472 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe Token: SeBackupPrivilege 1372 TiWorker.exe Token: SeRestorePrivilege 1372 TiWorker.exe Token: SeSecurityPrivilege 1372 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.execmd.exedescription pid process target process PID 4472 wrote to memory of 840 4472 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe MediaCenter.exe PID 4472 wrote to memory of 840 4472 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe MediaCenter.exe PID 4472 wrote to memory of 840 4472 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe MediaCenter.exe PID 4472 wrote to memory of 3712 4472 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe cmd.exe PID 4472 wrote to memory of 3712 4472 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe cmd.exe PID 4472 wrote to memory of 3712 4472 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe cmd.exe PID 3712 wrote to memory of 788 3712 cmd.exe PING.EXE PID 3712 wrote to memory of 788 3712 cmd.exe PING.EXE PID 3712 wrote to memory of 788 3712 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe"C:\Users\Admin\AppData\Local\Temp\06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1372
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dd7ae29e98cfec59f9eef9e49cb4c8c9
SHA1930e6a3d5431c919f909b3b4028a84d044dcdefd
SHA2566c174a72314a8aaafa55fb2e54458000516d9d99fe35907fa37a64f7a51e301a
SHA512e05e80ba90685f0a2aa4a8b70ec6b21bffa818bf98deb0b9a5d12a577fa29127bb6bb7114e7cd84cb226e911eb8c6044a21d0434c67b81cdb1e999a6ed71b156
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dd7ae29e98cfec59f9eef9e49cb4c8c9
SHA1930e6a3d5431c919f909b3b4028a84d044dcdefd
SHA2566c174a72314a8aaafa55fb2e54458000516d9d99fe35907fa37a64f7a51e301a
SHA512e05e80ba90685f0a2aa4a8b70ec6b21bffa818bf98deb0b9a5d12a577fa29127bb6bb7114e7cd84cb226e911eb8c6044a21d0434c67b81cdb1e999a6ed71b156
-
memory/2508-132-0x000001790C960000-0x000001790C970000-memory.dmpFilesize
64KB
-
memory/2508-133-0x000001790CF20000-0x000001790CF30000-memory.dmpFilesize
64KB
-
memory/2508-134-0x000001790F5B0000-0x000001790F5B4000-memory.dmpFilesize
16KB