Analysis
-
max time kernel
148s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:45
Static task
static1
Behavioral task
behavioral1
Sample
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe
Resource
win10v2004-en-20220113
General
-
Target
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe
-
Size
150KB
-
MD5
10f3307e3157263657f9bb78a86ea735
-
SHA1
a177ab7b478ecf582ddf4fed337a3f1ce1a6f1e4
-
SHA256
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38
-
SHA512
37a8e51f248227c1eb491fc244483f5b277d1daa1a5b3dadf8a8d17d2811736d194ceebc05a660ffcdaa823ff6c62fe43ef53feabd773df74382a01469fdc5e8
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4868 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4108 svchost.exe Token: SeCreatePagefilePrivilege 4108 svchost.exe Token: SeShutdownPrivilege 4108 svchost.exe Token: SeCreatePagefilePrivilege 4108 svchost.exe Token: SeShutdownPrivilege 4108 svchost.exe Token: SeCreatePagefilePrivilege 4108 svchost.exe Token: SeIncBasePriorityPrivilege 4736 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe Token: SeBackupPrivilege 2216 TiWorker.exe Token: SeRestorePrivilege 2216 TiWorker.exe Token: SeSecurityPrivilege 2216 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.execmd.exedescription pid process target process PID 4736 wrote to memory of 4868 4736 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe MediaCenter.exe PID 4736 wrote to memory of 4868 4736 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe MediaCenter.exe PID 4736 wrote to memory of 4868 4736 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe MediaCenter.exe PID 4736 wrote to memory of 4528 4736 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe cmd.exe PID 4736 wrote to memory of 4528 4736 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe cmd.exe PID 4736 wrote to memory of 4528 4736 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe cmd.exe PID 4528 wrote to memory of 1196 4528 cmd.exe PING.EXE PID 4528 wrote to memory of 1196 4528 cmd.exe PING.EXE PID 4528 wrote to memory of 1196 4528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe"C:\Users\Admin\AppData\Local\Temp\037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2216
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
188542afe5b342f41a4b2fa00bc7156e
SHA1e2fbf31243d5427bec08801c26f50e568da38239
SHA256733ee0ba3fa6be5239ca41483209d55743df9cd8b00373a69f6ef3995b4a5a01
SHA5122f69a3659c83a7f2a10b314f23a5fcd988ad49e213cdf6bf26562b21150c2025c7c2c06d15a9760297f650b53eb57555a9afcb823623d5b6fc796345113ff5c1
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
188542afe5b342f41a4b2fa00bc7156e
SHA1e2fbf31243d5427bec08801c26f50e568da38239
SHA256733ee0ba3fa6be5239ca41483209d55743df9cd8b00373a69f6ef3995b4a5a01
SHA5122f69a3659c83a7f2a10b314f23a5fcd988ad49e213cdf6bf26562b21150c2025c7c2c06d15a9760297f650b53eb57555a9afcb823623d5b6fc796345113ff5c1
-
memory/4108-132-0x000001A50FD90000-0x000001A50FDA0000-memory.dmpFilesize
64KB
-
memory/4108-133-0x000001A510420000-0x000001A510430000-memory.dmpFilesize
64KB
-
memory/4108-134-0x000001A512B10000-0x000001A512B14000-memory.dmpFilesize
16KB