Analysis
-
max time kernel
145s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 10:54
Static task
static1
Behavioral task
behavioral1
Sample
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe
Resource
win10v2004-en-20220113
General
-
Target
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe
-
Size
100KB
-
MD5
ce2ac0eca54a6a9e61a5a0584e43158c
-
SHA1
1708f300d31ad2b65d865e715c306646b08f5587
-
SHA256
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3
-
SHA512
00ba903ee26ceda173aaf82a2f4f66e9dce3a858d57399d6679466d7ddcd44331b42f31a9763e2dd570325dfa85ca397f64aed3fb85f4487cdd9a22d933586bb
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3348 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4296 svchost.exe Token: SeCreatePagefilePrivilege 4296 svchost.exe Token: SeShutdownPrivilege 4296 svchost.exe Token: SeCreatePagefilePrivilege 4296 svchost.exe Token: SeShutdownPrivilege 4296 svchost.exe Token: SeCreatePagefilePrivilege 4296 svchost.exe Token: SeIncBasePriorityPrivilege 2780 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.execmd.exedescription pid process target process PID 2780 wrote to memory of 3348 2780 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe MediaCenter.exe PID 2780 wrote to memory of 3348 2780 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe MediaCenter.exe PID 2780 wrote to memory of 3348 2780 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe MediaCenter.exe PID 2780 wrote to memory of 1660 2780 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe cmd.exe PID 2780 wrote to memory of 1660 2780 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe cmd.exe PID 2780 wrote to memory of 1660 2780 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe cmd.exe PID 1660 wrote to memory of 3192 1660 cmd.exe PING.EXE PID 1660 wrote to memory of 3192 1660 cmd.exe PING.EXE PID 1660 wrote to memory of 3192 1660 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe"C:\Users\Admin\AppData\Local\Temp\05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3192
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1336
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3e588f09789eafb5c3cb0ce04ae3e21c
SHA10c78b99aadc91c9d261408a9d6b52c81e8f12d24
SHA25672cd2487dfd4632da4cd596119a5bd1342445d199a590692a348f1b32b883335
SHA512e4d1f569eac3aaf92f90a7f568d6eedba22db4eaa6ffd68564a1ba8b099b40ac8e8bc6493bd7ac7c163e45739b2a9b848a844aa1bc2809c4ce6d5affacbdb1da
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3e588f09789eafb5c3cb0ce04ae3e21c
SHA10c78b99aadc91c9d261408a9d6b52c81e8f12d24
SHA25672cd2487dfd4632da4cd596119a5bd1342445d199a590692a348f1b32b883335
SHA512e4d1f569eac3aaf92f90a7f568d6eedba22db4eaa6ffd68564a1ba8b099b40ac8e8bc6493bd7ac7c163e45739b2a9b848a844aa1bc2809c4ce6d5affacbdb1da
-
memory/4296-132-0x00000229BE180000-0x00000229BE190000-memory.dmpFilesize
64KB
-
memory/4296-133-0x00000229BE820000-0x00000229BE830000-memory.dmpFilesize
64KB
-
memory/4296-134-0x00000229C0F00000-0x00000229C0F04000-memory.dmpFilesize
16KB