Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:39
Static task
static1
Behavioral task
behavioral1
Sample
068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe
Resource
win10v2004-en-20220113
General
-
Target
068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe
-
Size
80KB
-
MD5
51b22f6a1aad9dff22dea50e74d0d3da
-
SHA1
9b3006d6ca2fea91832abe9c3de319bf57a7e890
-
SHA256
068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801
-
SHA512
d1e10d3a64a3addc45d05d5dc50ea7eac291cbe4829aaef6d3cad1a58afac95cb972a968f44190ef031abac6ddec99cbaad9d5617bbd4417a86d4cdb6b5eb344
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2752 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3284 svchost.exe Token: SeCreatePagefilePrivilege 3284 svchost.exe Token: SeShutdownPrivilege 3284 svchost.exe Token: SeCreatePagefilePrivilege 3284 svchost.exe Token: SeShutdownPrivilege 3284 svchost.exe Token: SeCreatePagefilePrivilege 3284 svchost.exe Token: SeIncBasePriorityPrivilege 2664 068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe Token: SeBackupPrivilege 4144 TiWorker.exe Token: SeRestorePrivilege 4144 TiWorker.exe Token: SeSecurityPrivilege 4144 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.execmd.exedescription pid process target process PID 2664 wrote to memory of 2752 2664 068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe MediaCenter.exe PID 2664 wrote to memory of 2752 2664 068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe MediaCenter.exe PID 2664 wrote to memory of 2752 2664 068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe MediaCenter.exe PID 2664 wrote to memory of 1668 2664 068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe cmd.exe PID 2664 wrote to memory of 1668 2664 068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe cmd.exe PID 2664 wrote to memory of 1668 2664 068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe cmd.exe PID 1668 wrote to memory of 1432 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1432 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1432 1668 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe"C:\Users\Admin\AppData\Local\Temp\068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\068990133b37649cfd4b6ee2bf8235a1a7a638e180f2087cdc806415dc866801.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
910b7d0c08a8562fa99a580188b31a1b
SHA1cbb3bd890ef5ac4d48d43b64602dd5fa9068545f
SHA2569eca210f8408f98df54a8ed585babec81d4bda64800dfbfc83302e8ca3df3bf4
SHA5123090f42c7c501d35bfb5bf2e8d0e5408da35025f8517811df6c8aadcd77829f7e7af5ed3dd570ce5111a6b433f5e18559c4a3e0a5744e0caa732278b9123f4bb
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
910b7d0c08a8562fa99a580188b31a1b
SHA1cbb3bd890ef5ac4d48d43b64602dd5fa9068545f
SHA2569eca210f8408f98df54a8ed585babec81d4bda64800dfbfc83302e8ca3df3bf4
SHA5123090f42c7c501d35bfb5bf2e8d0e5408da35025f8517811df6c8aadcd77829f7e7af5ed3dd570ce5111a6b433f5e18559c4a3e0a5744e0caa732278b9123f4bb
-
memory/3284-132-0x000001EE73960000-0x000001EE73970000-memory.dmpFilesize
64KB
-
memory/3284-133-0x000001EE73F20000-0x000001EE73F30000-memory.dmpFilesize
64KB
-
memory/3284-134-0x000001EE765C0000-0x000001EE765C4000-memory.dmpFilesize
16KB