Analysis
-
max time kernel
146s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:22
Static task
static1
Behavioral task
behavioral1
Sample
0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe
Resource
win10v2004-en-20220113
General
-
Target
0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe
-
Size
99KB
-
MD5
939133e7cd0e61c18d74298778468292
-
SHA1
c5de948d28e018777449a9a5c60e687e707e76d4
-
SHA256
0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb
-
SHA512
d2de828587e08251fc6d6e48c3f5669f6446712851993c645488bbe4d873f414a61b4f739cca3061f14a955584dfadca2ef340e6f778c39f22af6bd0102b16db
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1696 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1892 svchost.exe Token: SeCreatePagefilePrivilege 1892 svchost.exe Token: SeShutdownPrivilege 1892 svchost.exe Token: SeCreatePagefilePrivilege 1892 svchost.exe Token: SeShutdownPrivilege 1892 svchost.exe Token: SeCreatePagefilePrivilege 1892 svchost.exe Token: SeIncBasePriorityPrivilege 4056 0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe Token: SeBackupPrivilege 1428 TiWorker.exe Token: SeRestorePrivilege 1428 TiWorker.exe Token: SeSecurityPrivilege 1428 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.execmd.exedescription pid process target process PID 4056 wrote to memory of 1696 4056 0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe MediaCenter.exe PID 4056 wrote to memory of 1696 4056 0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe MediaCenter.exe PID 4056 wrote to memory of 1696 4056 0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe MediaCenter.exe PID 4056 wrote to memory of 604 4056 0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe cmd.exe PID 4056 wrote to memory of 604 4056 0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe cmd.exe PID 4056 wrote to memory of 604 4056 0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe cmd.exe PID 604 wrote to memory of 3632 604 cmd.exe PING.EXE PID 604 wrote to memory of 3632 604 cmd.exe PING.EXE PID 604 wrote to memory of 3632 604 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe"C:\Users\Admin\AppData\Local\Temp\0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dcc7617d7ec4f746e1b5cb02b1e96a597a7068cd91e497cd83a2762961b48fb.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8d59ff5d48e0fe2322514f2aad764e7e
SHA1770ef6553492ac88519a7b2995d3adbd61400a24
SHA256e5b02d7c9f4409633a867e8a74c776e48ed43be1498e8082972fa476b664f6c5
SHA51246703c5bfad486918b9a8d9a7224854b0e708f8a03076e4c9642db582f3f6979c989c4acf6b5227699f69e579ba395d30d6a24afaa58d2a3efbfbd38048c2263
-
MD5
8d59ff5d48e0fe2322514f2aad764e7e
SHA1770ef6553492ac88519a7b2995d3adbd61400a24
SHA256e5b02d7c9f4409633a867e8a74c776e48ed43be1498e8082972fa476b664f6c5
SHA51246703c5bfad486918b9a8d9a7224854b0e708f8a03076e4c9642db582f3f6979c989c4acf6b5227699f69e579ba395d30d6a24afaa58d2a3efbfbd38048c2263