Analysis
-
max time kernel
150s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe
Resource
win10v2004-en-20220113
General
-
Target
02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe
-
Size
99KB
-
MD5
9cbac2fec1ad1dcb349734acf6debb29
-
SHA1
a5a17a6155f836a177bad5ae216e01bccb561f9b
-
SHA256
02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097
-
SHA512
fedef63c447dfd0b97e240de124116dfd0b376033824a20dd97959dfcc13c1772128afe215bfab8c8f259b674ba12ba781c71f4e1d662edf1bb06234269a38dd
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4348 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3540 svchost.exe Token: SeCreatePagefilePrivilege 3540 svchost.exe Token: SeShutdownPrivilege 3540 svchost.exe Token: SeCreatePagefilePrivilege 3540 svchost.exe Token: SeShutdownPrivilege 3540 svchost.exe Token: SeCreatePagefilePrivilege 3540 svchost.exe Token: SeIncBasePriorityPrivilege 4240 02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe Token: SeBackupPrivilege 1816 TiWorker.exe Token: SeRestorePrivilege 1816 TiWorker.exe Token: SeSecurityPrivilege 1816 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.execmd.exedescription pid process target process PID 4240 wrote to memory of 4348 4240 02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe MediaCenter.exe PID 4240 wrote to memory of 4348 4240 02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe MediaCenter.exe PID 4240 wrote to memory of 4348 4240 02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe MediaCenter.exe PID 4240 wrote to memory of 728 4240 02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe cmd.exe PID 4240 wrote to memory of 728 4240 02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe cmd.exe PID 4240 wrote to memory of 728 4240 02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe cmd.exe PID 728 wrote to memory of 4744 728 cmd.exe PING.EXE PID 728 wrote to memory of 4744 728 cmd.exe PING.EXE PID 728 wrote to memory of 4744 728 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe"C:\Users\Admin\AppData\Local\Temp\02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5701b43a0fe0787ad13b6860f0a50d4f
SHA1fdd9898c348b070418394cd016eb6593c234b960
SHA256649db09c263d3a41b50c1cb6edb61b81d5178707b36f7cb88d75e2d79c2ae40f
SHA512961a28868d5166fcdb82e2db69db42b8a78bef1a302373567e77fdf0a82d1fd380443d8f5286118c8731a04e01516d9f0427392a3eddc273e2d492b954d1c324
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5701b43a0fe0787ad13b6860f0a50d4f
SHA1fdd9898c348b070418394cd016eb6593c234b960
SHA256649db09c263d3a41b50c1cb6edb61b81d5178707b36f7cb88d75e2d79c2ae40f
SHA512961a28868d5166fcdb82e2db69db42b8a78bef1a302373567e77fdf0a82d1fd380443d8f5286118c8731a04e01516d9f0427392a3eddc273e2d492b954d1c324
-
memory/3540-132-0x0000019EB9F20000-0x0000019EB9F30000-memory.dmpFilesize
64KB
-
memory/3540-133-0x0000019EB9F80000-0x0000019EB9F90000-memory.dmpFilesize
64KB
-
memory/3540-134-0x0000019EBC640000-0x0000019EBC644000-memory.dmpFilesize
16KB