Analysis
-
max time kernel
160s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:15
Static task
static1
Behavioral task
behavioral1
Sample
0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe
Resource
win10v2004-en-20220113
General
-
Target
0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe
-
Size
152KB
-
MD5
fe925d8adc7fa572a553030831983fdf
-
SHA1
441bb1e70bf849399d7267d47749a063afd4f258
-
SHA256
0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057
-
SHA512
586804772be980a7ad61d46d31e260ffa698721e409d67313c1e911648e94e3247bbb0cf9f03db841ca85377dabf1a2faa2f83cee8c32655b829e2b7fb63a11f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4688 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2788 svchost.exe Token: SeCreatePagefilePrivilege 2788 svchost.exe Token: SeShutdownPrivilege 2788 svchost.exe Token: SeCreatePagefilePrivilege 2788 svchost.exe Token: SeShutdownPrivilege 2788 svchost.exe Token: SeCreatePagefilePrivilege 2788 svchost.exe Token: SeIncBasePriorityPrivilege 3060 0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.execmd.exedescription pid process target process PID 3060 wrote to memory of 4688 3060 0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe MediaCenter.exe PID 3060 wrote to memory of 4688 3060 0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe MediaCenter.exe PID 3060 wrote to memory of 4688 3060 0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe MediaCenter.exe PID 3060 wrote to memory of 4300 3060 0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe cmd.exe PID 3060 wrote to memory of 4300 3060 0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe cmd.exe PID 3060 wrote to memory of 4300 3060 0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe cmd.exe PID 4300 wrote to memory of 4952 4300 cmd.exe PING.EXE PID 4300 wrote to memory of 4952 4300 cmd.exe PING.EXE PID 4300 wrote to memory of 4952 4300 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe"C:\Users\Admin\AppData\Local\Temp\0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e1d2d13010af1407216e3a8a710d89e65ce136215c206dfcc2de66448481057.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fcf196c2f40f0a17fa2a0c64ddc2244e
SHA1fad02376595a5af324a1986d4aa6eb5ed1c74e03
SHA256bf6694dfbd657dc194ed9759cac74d98548a45e203be7fd36a813bc90bfa268b
SHA512cecbaab2c337adfc283884567d32313a84f6e3978fe5397da4673480be7f255dff6ec3a23c92a198fde3158835b0ae0356859b3e11ea2025e629b3df47700a9b
-
MD5
fcf196c2f40f0a17fa2a0c64ddc2244e
SHA1fad02376595a5af324a1986d4aa6eb5ed1c74e03
SHA256bf6694dfbd657dc194ed9759cac74d98548a45e203be7fd36a813bc90bfa268b
SHA512cecbaab2c337adfc283884567d32313a84f6e3978fe5397da4673480be7f255dff6ec3a23c92a198fde3158835b0ae0356859b3e11ea2025e629b3df47700a9b