Analysis
-
max time kernel
169s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:13
Static task
static1
Behavioral task
behavioral1
Sample
04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe
Resource
win10v2004-en-20220113
General
-
Target
04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe
-
Size
101KB
-
MD5
933e1530c02a5e73a4a8d1dc26e260a1
-
SHA1
b67728bf253d9b1c1de8a735f0b7b60398125a21
-
SHA256
04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2
-
SHA512
a1145bac210795a9b646ecaaa5e8a4cec88aee28c8d11c6ca1a34a8f25728b3bcf175713b5c450104ce48bcd8d6e1a5c812dcfeb1a7bedfe126f477f607c6a8e
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1992 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exedescription pid process Token: SeShutdownPrivilege 1964 svchost.exe Token: SeCreatePagefilePrivilege 1964 svchost.exe Token: SeShutdownPrivilege 1964 svchost.exe Token: SeCreatePagefilePrivilege 1964 svchost.exe Token: SeShutdownPrivilege 1964 svchost.exe Token: SeCreatePagefilePrivilege 1964 svchost.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeIncBasePriorityPrivilege 4400 04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.execmd.exedescription pid process target process PID 4400 wrote to memory of 1992 4400 04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe MediaCenter.exe PID 4400 wrote to memory of 1992 4400 04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe MediaCenter.exe PID 4400 wrote to memory of 1992 4400 04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe MediaCenter.exe PID 4400 wrote to memory of 2332 4400 04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe cmd.exe PID 4400 wrote to memory of 2332 4400 04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe cmd.exe PID 4400 wrote to memory of 2332 4400 04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe cmd.exe PID 2332 wrote to memory of 4332 2332 cmd.exe PING.EXE PID 2332 wrote to memory of 4332 2332 cmd.exe PING.EXE PID 2332 wrote to memory of 4332 2332 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe"C:\Users\Admin\AppData\Local\Temp\04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04fa2c73e57f0463aeb422c7d94044d2443ea6d119026166fec5fd777debaeb2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b499888c38e072b76f42a1cd98995f4b
SHA19f94d8b12474ab2b15b9879791ea6672e0fe50df
SHA2560fb0887d2b39d9a90f2aae52b2cbc03bbf596acbc5eb38576cd0b23c432dd0af
SHA51216e2f9ea80ebd50ebe7131fa280dede27cd5adafdcf2dc165bd2d6738f5e75fca57a3b0b1582105c0363e1c9130e22c146ad2aec6856dcdf8d5e7109debcbaf5
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b499888c38e072b76f42a1cd98995f4b
SHA19f94d8b12474ab2b15b9879791ea6672e0fe50df
SHA2560fb0887d2b39d9a90f2aae52b2cbc03bbf596acbc5eb38576cd0b23c432dd0af
SHA51216e2f9ea80ebd50ebe7131fa280dede27cd5adafdcf2dc165bd2d6738f5e75fca57a3b0b1582105c0363e1c9130e22c146ad2aec6856dcdf8d5e7109debcbaf5
-
memory/1964-133-0x000001B7FE960000-0x000001B7FE970000-memory.dmpFilesize
64KB
-
memory/1964-134-0x000001B7FF270000-0x000001B7FF280000-memory.dmpFilesize
64KB
-
memory/1964-135-0x000001B7FF920000-0x000001B7FF924000-memory.dmpFilesize
16KB