Analysis
-
max time kernel
133s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:40
Static task
static1
Behavioral task
behavioral1
Sample
0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe
Resource
win10v2004-en-20220113
General
-
Target
0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe
-
Size
92KB
-
MD5
d06664afe61192c8c9f5c4d3fe7fee2e
-
SHA1
e89771d99b30b4fbf95e058a2720d5d8add77e9f
-
SHA256
0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb
-
SHA512
dbc46512b3634d7f1a75dee5e2ba47ebd3c2547e790620f0ba9607aabd17759afe5243620f6ea085f57628cc5c57c84b1a65454aaf09215d9571b598b3c77fa4
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3808 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1684 svchost.exe Token: SeCreatePagefilePrivilege 1684 svchost.exe Token: SeShutdownPrivilege 1684 svchost.exe Token: SeCreatePagefilePrivilege 1684 svchost.exe Token: SeShutdownPrivilege 1684 svchost.exe Token: SeCreatePagefilePrivilege 1684 svchost.exe Token: SeIncBasePriorityPrivilege 3392 0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe Token: SeBackupPrivilege 1424 TiWorker.exe Token: SeRestorePrivilege 1424 TiWorker.exe Token: SeSecurityPrivilege 1424 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.execmd.exedescription pid process target process PID 3392 wrote to memory of 3808 3392 0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe MediaCenter.exe PID 3392 wrote to memory of 3808 3392 0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe MediaCenter.exe PID 3392 wrote to memory of 3808 3392 0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe MediaCenter.exe PID 3392 wrote to memory of 4016 3392 0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe cmd.exe PID 3392 wrote to memory of 4016 3392 0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe cmd.exe PID 3392 wrote to memory of 4016 3392 0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe cmd.exe PID 4016 wrote to memory of 640 4016 cmd.exe PING.EXE PID 4016 wrote to memory of 640 4016 cmd.exe PING.EXE PID 4016 wrote to memory of 640 4016 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe"C:\Users\Admin\AppData\Local\Temp\0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0681105d45273bfde077466179087bd7dec39959918d1f5d73f97a52408371eb.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1424
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c65e675ed0b75a64ef7aea629fe56314
SHA17980bf0035f25b1884b84094c941cebbfa939a1c
SHA25672bf4df7d38c0e426a2b710d4233ff696cfb55baba45ee79491c84afa7132343
SHA512720a2b1dc1c4a5f312003c70a4fb43080ab092f4bec44234cfb84432109b66c90bd178ffb4185f4cd835864f1a0b40e39b95db2d9896e8b0fe37d6f4d2ac265c
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c65e675ed0b75a64ef7aea629fe56314
SHA17980bf0035f25b1884b84094c941cebbfa939a1c
SHA25672bf4df7d38c0e426a2b710d4233ff696cfb55baba45ee79491c84afa7132343
SHA512720a2b1dc1c4a5f312003c70a4fb43080ab092f4bec44234cfb84432109b66c90bd178ffb4185f4cd835864f1a0b40e39b95db2d9896e8b0fe37d6f4d2ac265c
-
memory/1684-132-0x0000020047980000-0x0000020047990000-memory.dmpFilesize
64KB
-
memory/1684-133-0x0000020048020000-0x0000020048030000-memory.dmpFilesize
64KB
-
memory/1684-134-0x000002004A700000-0x000002004A704000-memory.dmpFilesize
16KB