Analysis
-
max time kernel
145s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:15
Static task
static1
Behavioral task
behavioral1
Sample
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe
Resource
win10v2004-en-20220113
General
-
Target
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe
-
Size
99KB
-
MD5
2b4b5d610d81ffd74e570840f9c3a480
-
SHA1
5d1d70274fd90cdab76ac317a71d4d298e92b64e
-
SHA256
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97
-
SHA512
2cf8783acb0d1d0987dd5a86cef714971d0d48315394034ce41ce215896562a1159bc2d9b996e6d65c3895d3a5831db184bc3a23dca7795a992245e0f071d628
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4392 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1144 svchost.exe Token: SeCreatePagefilePrivilege 1144 svchost.exe Token: SeShutdownPrivilege 1144 svchost.exe Token: SeCreatePagefilePrivilege 1144 svchost.exe Token: SeShutdownPrivilege 1144 svchost.exe Token: SeCreatePagefilePrivilege 1144 svchost.exe Token: SeIncBasePriorityPrivilege 4500 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe Token: SeBackupPrivilege 4764 TiWorker.exe Token: SeRestorePrivilege 4764 TiWorker.exe Token: SeSecurityPrivilege 4764 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.execmd.exedescription pid process target process PID 4500 wrote to memory of 4392 4500 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe MediaCenter.exe PID 4500 wrote to memory of 4392 4500 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe MediaCenter.exe PID 4500 wrote to memory of 4392 4500 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe MediaCenter.exe PID 4500 wrote to memory of 3656 4500 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe cmd.exe PID 4500 wrote to memory of 3656 4500 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe cmd.exe PID 4500 wrote to memory of 3656 4500 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe cmd.exe PID 3656 wrote to memory of 1004 3656 cmd.exe PING.EXE PID 3656 wrote to memory of 1004 3656 cmd.exe PING.EXE PID 3656 wrote to memory of 1004 3656 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe"C:\Users\Admin\AppData\Local\Temp\0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4756a0728a96e1aa38a6da481f8ce6d6
SHA18f371993b9793177e4fa9ade31318f9491e32993
SHA25655b90cf7ad7a6a1efc9e23bc5a5db6411ab32da09a9c361a620fe19e75af48ba
SHA51214f4365230866323f1ddbf90f2cfb2683ea6752275fc16ee6619ed89875de956962b547297b81dddc2a3717a9531226baf569b80ad570fd10a8be40d27d072bc
-
MD5
4756a0728a96e1aa38a6da481f8ce6d6
SHA18f371993b9793177e4fa9ade31318f9491e32993
SHA25655b90cf7ad7a6a1efc9e23bc5a5db6411ab32da09a9c361a620fe19e75af48ba
SHA51214f4365230866323f1ddbf90f2cfb2683ea6752275fc16ee6619ed89875de956962b547297b81dddc2a3717a9531226baf569b80ad570fd10a8be40d27d072bc