Analysis
-
max time kernel
158s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:42
Static task
static1
Behavioral task
behavioral1
Sample
0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe
Resource
win10v2004-en-20220113
General
-
Target
0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe
-
Size
92KB
-
MD5
dc67af6023fd844421c1ed3a54dbfb84
-
SHA1
a3a131657afb813b4da364eb3514ad7e15d43292
-
SHA256
0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2
-
SHA512
3b347114376b74d975e9e226e365db0cbcdb12bb39ac5683496b3db6d5a837d643d69b6ab46d9a702ac53a79969a5aa829cd1423b9fdb3b13c4d6ba6714b03e7
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4652 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3172 svchost.exe Token: SeCreatePagefilePrivilege 3172 svchost.exe Token: SeShutdownPrivilege 3172 svchost.exe Token: SeCreatePagefilePrivilege 3172 svchost.exe Token: SeShutdownPrivilege 3172 svchost.exe Token: SeCreatePagefilePrivilege 3172 svchost.exe Token: SeIncBasePriorityPrivilege 4728 0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe Token: SeBackupPrivilege 4712 TiWorker.exe Token: SeRestorePrivilege 4712 TiWorker.exe Token: SeSecurityPrivilege 4712 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.execmd.exedescription pid process target process PID 4728 wrote to memory of 4652 4728 0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe MediaCenter.exe PID 4728 wrote to memory of 4652 4728 0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe MediaCenter.exe PID 4728 wrote to memory of 4652 4728 0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe MediaCenter.exe PID 4728 wrote to memory of 3780 4728 0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe cmd.exe PID 4728 wrote to memory of 3780 4728 0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe cmd.exe PID 4728 wrote to memory of 3780 4728 0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe cmd.exe PID 3780 wrote to memory of 2232 3780 cmd.exe PING.EXE PID 3780 wrote to memory of 2232 3780 cmd.exe PING.EXE PID 3780 wrote to memory of 2232 3780 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe"C:\Users\Admin\AppData\Local\Temp\0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0399b6c34730e73535f71d4d8ad26e7455a281a1e51b785962c64d493e8d8eb2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ede206bf4111f9e8d92449e14a8c627c
SHA15ce97c5600f257b28e99b376e01b3cc8f7d511dc
SHA2562565a6a9caa763852a1e2a8b829fb7787cdf078939254627b4f0355ce73bf8c5
SHA512b9f7e5c05a172ebd845888b058b1e53ef7a81344bc10e271f0794bc134151acc28b3ba0a3325403ed292d4fea9766120f80ea0f1fa5803ded9ee2e8ee0eb7db1
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ede206bf4111f9e8d92449e14a8c627c
SHA15ce97c5600f257b28e99b376e01b3cc8f7d511dc
SHA2562565a6a9caa763852a1e2a8b829fb7787cdf078939254627b4f0355ce73bf8c5
SHA512b9f7e5c05a172ebd845888b058b1e53ef7a81344bc10e271f0794bc134151acc28b3ba0a3325403ed292d4fea9766120f80ea0f1fa5803ded9ee2e8ee0eb7db1
-
memory/3172-132-0x0000023DE3560000-0x0000023DE3570000-memory.dmpFilesize
64KB
-
memory/3172-133-0x0000023DE3B20000-0x0000023DE3B30000-memory.dmpFilesize
64KB
-
memory/3172-134-0x0000023DE61B0000-0x0000023DE61B4000-memory.dmpFilesize
16KB