Analysis
-
max time kernel
146s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:24
Static task
static1
Behavioral task
behavioral1
Sample
047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe
Resource
win10v2004-en-20220113
General
-
Target
047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe
-
Size
99KB
-
MD5
2f1f8cad2767a5249a6c849908f1b778
-
SHA1
97be2a02e2f2fc28fb9926e278ff10d68c1100af
-
SHA256
047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26
-
SHA512
43cac78f990db6f8cccbd55ff42838558cd8a9693e434672ebe66a7ba9498075eae6dc0d70cd8aff7169edc40fb73cbba24a862382513a0635869cc484ca60cf
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4624 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exedescription pid process Token: SeShutdownPrivilege 4876 svchost.exe Token: SeCreatePagefilePrivilege 4876 svchost.exe Token: SeShutdownPrivilege 4876 svchost.exe Token: SeCreatePagefilePrivilege 4876 svchost.exe Token: SeShutdownPrivilege 4876 svchost.exe Token: SeCreatePagefilePrivilege 4876 svchost.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeIncBasePriorityPrivilege 3908 047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.execmd.exedescription pid process target process PID 3908 wrote to memory of 4624 3908 047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe MediaCenter.exe PID 3908 wrote to memory of 4624 3908 047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe MediaCenter.exe PID 3908 wrote to memory of 4624 3908 047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe MediaCenter.exe PID 3908 wrote to memory of 3316 3908 047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe cmd.exe PID 3908 wrote to memory of 3316 3908 047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe cmd.exe PID 3908 wrote to memory of 3316 3908 047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe cmd.exe PID 3316 wrote to memory of 1932 3316 cmd.exe PING.EXE PID 3316 wrote to memory of 1932 3316 cmd.exe PING.EXE PID 3316 wrote to memory of 1932 3316 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe"C:\Users\Admin\AppData\Local\Temp\047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\047b7a125a5d18aa80e11efa37727317366153de2bb249284d8e252f13f1fe26.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
07b86cd29c275c7652ba41b9d01a8e5f
SHA1da8c43441fcf9f378b117c71700c29a242a60a3e
SHA256f787c2233490b4f01b63647464129f0c4c5e75a1a8d178f27adc73c2b8812b86
SHA5124b962d22657c216642f4a14bf7f4fc1f77bcbbfd081e9fb69d7d19d8c534846cf58826955141af5ddf60b586d7b977f62f476959f3926043cfda9cee497def97
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
07b86cd29c275c7652ba41b9d01a8e5f
SHA1da8c43441fcf9f378b117c71700c29a242a60a3e
SHA256f787c2233490b4f01b63647464129f0c4c5e75a1a8d178f27adc73c2b8812b86
SHA5124b962d22657c216642f4a14bf7f4fc1f77bcbbfd081e9fb69d7d19d8c534846cf58826955141af5ddf60b586d7b977f62f476959f3926043cfda9cee497def97
-
memory/4876-133-0x000001A196E20000-0x000001A196E30000-memory.dmpFilesize
64KB
-
memory/4876-132-0x000001A196790000-0x000001A1967A0000-memory.dmpFilesize
64KB
-
memory/4876-134-0x000001A199510000-0x000001A199514000-memory.dmpFilesize
16KB