Analysis
-
max time kernel
146s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:44
Static task
static1
Behavioral task
behavioral1
Sample
038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe
Resource
win10v2004-en-20220113
General
-
Target
038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe
-
Size
192KB
-
MD5
b05342e1d6340795786810fab8c08322
-
SHA1
53b3483add91981e441d99ef4e49946906cd7026
-
SHA256
038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0
-
SHA512
9ec4a97f39e2f9b5add8f99bb7c35e5aaef60c68437493b1de7616bba2270caa7011a89a10d44140ebb3e01055ed98b344febdcf6aff9ff352f72fab118debae
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4644 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4340 svchost.exe Token: SeCreatePagefilePrivilege 4340 svchost.exe Token: SeShutdownPrivilege 4340 svchost.exe Token: SeCreatePagefilePrivilege 4340 svchost.exe Token: SeShutdownPrivilege 4340 svchost.exe Token: SeCreatePagefilePrivilege 4340 svchost.exe Token: SeIncBasePriorityPrivilege 4420 038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe Token: SeBackupPrivilege 5076 TiWorker.exe Token: SeRestorePrivilege 5076 TiWorker.exe Token: SeSecurityPrivilege 5076 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.execmd.exedescription pid process target process PID 4420 wrote to memory of 4644 4420 038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe MediaCenter.exe PID 4420 wrote to memory of 4644 4420 038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe MediaCenter.exe PID 4420 wrote to memory of 4644 4420 038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe MediaCenter.exe PID 4420 wrote to memory of 1448 4420 038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe cmd.exe PID 4420 wrote to memory of 1448 4420 038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe cmd.exe PID 4420 wrote to memory of 1448 4420 038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe cmd.exe PID 1448 wrote to memory of 2220 1448 cmd.exe PING.EXE PID 1448 wrote to memory of 2220 1448 cmd.exe PING.EXE PID 1448 wrote to memory of 2220 1448 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe"C:\Users\Admin\AppData\Local\Temp\038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\038ff3bf3823d31da044955ad9cd8207e859321ea6c221d9e2d5ef982a2b70d0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
69baf475a2ce80fddfa153ecfa367ea4
SHA14b3e9b7103841d7fb0f5cd6ec5d48d6d48f65eac
SHA2560847e2a4991f66300caf719112fa226c11cc30ef22c968558504a7b9a697c446
SHA5121be868c745310975a220954156da70f3d708ad03090507bb85f50289befbe4e5c37625828a4bc4863ca089ee303c9468b749cc767bd7ebb17021599c0087aa62
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
69baf475a2ce80fddfa153ecfa367ea4
SHA14b3e9b7103841d7fb0f5cd6ec5d48d6d48f65eac
SHA2560847e2a4991f66300caf719112fa226c11cc30ef22c968558504a7b9a697c446
SHA5121be868c745310975a220954156da70f3d708ad03090507bb85f50289befbe4e5c37625828a4bc4863ca089ee303c9468b749cc767bd7ebb17021599c0087aa62
-
memory/4340-132-0x0000018550F30000-0x0000018550F40000-memory.dmpFilesize
64KB
-
memory/4340-133-0x0000018550F90000-0x0000018550FA0000-memory.dmpFilesize
64KB
-
memory/4340-134-0x0000018553CA0000-0x0000018553CA4000-memory.dmpFilesize
16KB