Analysis
-
max time kernel
130s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:59
Static task
static1
Behavioral task
behavioral1
Sample
02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe
Resource
win10v2004-en-20220113
General
-
Target
02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe
-
Size
99KB
-
MD5
568f66ddfb342d659b9ef748902b537f
-
SHA1
91d6d44a93695d87a56711d544c49ddedce1ed1b
-
SHA256
02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890
-
SHA512
99c04c496dec241f22973f90dbe6ed942d9372535a94c6bbe893a6ae6815daff711bcc50748873f9b3dd57c4f80b51e202a7166a68de7f64aeddf6d43a058ebe
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1412 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4288 svchost.exe Token: SeCreatePagefilePrivilege 4288 svchost.exe Token: SeShutdownPrivilege 4288 svchost.exe Token: SeCreatePagefilePrivilege 4288 svchost.exe Token: SeShutdownPrivilege 4288 svchost.exe Token: SeCreatePagefilePrivilege 4288 svchost.exe Token: SeIncBasePriorityPrivilege 644 02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe Token: SeBackupPrivilege 1100 TiWorker.exe Token: SeRestorePrivilege 1100 TiWorker.exe Token: SeSecurityPrivilege 1100 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.execmd.exedescription pid process target process PID 644 wrote to memory of 1412 644 02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe MediaCenter.exe PID 644 wrote to memory of 1412 644 02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe MediaCenter.exe PID 644 wrote to memory of 1412 644 02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe MediaCenter.exe PID 644 wrote to memory of 1400 644 02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe cmd.exe PID 644 wrote to memory of 1400 644 02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe cmd.exe PID 644 wrote to memory of 1400 644 02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe cmd.exe PID 1400 wrote to memory of 3064 1400 cmd.exe PING.EXE PID 1400 wrote to memory of 3064 1400 cmd.exe PING.EXE PID 1400 wrote to memory of 3064 1400 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe"C:\Users\Admin\AppData\Local\Temp\02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02cfa1534c2de4c73f97a455f37a6d92def884742733ace957bbeb653c714890.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
aa14afe40d51c717ca3ee76e968f1b8e
SHA1c79e2da68fcffefa722f46bb4cc17a971c5f1035
SHA256aadf280875524f4e2d44c0ead3cca857103008b2d2be00a04d88411c601977a8
SHA5125fe5c490bca21aa5aafc3ce2f6e8ffb41fab79f9cd12362525d29c7e099ecf243c64bc8d410d95baf43193983f4477ce3e2fa648b2b3f3b711003f56caac9dc3
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
aa14afe40d51c717ca3ee76e968f1b8e
SHA1c79e2da68fcffefa722f46bb4cc17a971c5f1035
SHA256aadf280875524f4e2d44c0ead3cca857103008b2d2be00a04d88411c601977a8
SHA5125fe5c490bca21aa5aafc3ce2f6e8ffb41fab79f9cd12362525d29c7e099ecf243c64bc8d410d95baf43193983f4477ce3e2fa648b2b3f3b711003f56caac9dc3
-
memory/4288-132-0x0000021C83380000-0x0000021C83390000-memory.dmpFilesize
64KB
-
memory/4288-133-0x0000021C83A20000-0x0000021C83A30000-memory.dmpFilesize
64KB
-
memory/4288-134-0x0000021C86100000-0x0000021C86104000-memory.dmpFilesize
16KB