Analysis
-
max time kernel
135s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:20
Static task
static1
Behavioral task
behavioral1
Sample
0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe
Resource
win10v2004-en-20220113
General
-
Target
0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe
-
Size
192KB
-
MD5
1ed60c481ca02688c177e3cc73dfd992
-
SHA1
b30a662f49386fe9406f34a08bffb8940f95f5fd
-
SHA256
0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109
-
SHA512
c292e82482910ec0f4071af036d1a468d8a56d802f114050afa6f560b92b0c0cd5d98240f02314e84851526b7cc4b6137914a91949cfb18ea4d1bf2325779b21
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1748 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exedescription pid process Token: SeShutdownPrivilege 2280 svchost.exe Token: SeCreatePagefilePrivilege 2280 svchost.exe Token: SeShutdownPrivilege 2280 svchost.exe Token: SeCreatePagefilePrivilege 2280 svchost.exe Token: SeShutdownPrivilege 2280 svchost.exe Token: SeCreatePagefilePrivilege 2280 svchost.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeIncBasePriorityPrivilege 3448 0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe Token: SeBackupPrivilege 2200 TiWorker.exe Token: SeRestorePrivilege 2200 TiWorker.exe Token: SeSecurityPrivilege 2200 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.execmd.exedescription pid process target process PID 3448 wrote to memory of 1748 3448 0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe MediaCenter.exe PID 3448 wrote to memory of 1748 3448 0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe MediaCenter.exe PID 3448 wrote to memory of 1748 3448 0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe MediaCenter.exe PID 3448 wrote to memory of 540 3448 0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe cmd.exe PID 3448 wrote to memory of 540 3448 0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe cmd.exe PID 3448 wrote to memory of 540 3448 0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe cmd.exe PID 540 wrote to memory of 2352 540 cmd.exe PING.EXE PID 540 wrote to memory of 2352 540 cmd.exe PING.EXE PID 540 wrote to memory of 2352 540 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe"C:\Users\Admin\AppData\Local\Temp\0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dd9df1713a7adb825dbf06f1490b2df42ad96aab773252cf1eee702f0df9109.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0755f6b1c814be85741da115132d4a14
SHA1abd99ed3d3d8d63faa7931099293e0b9a2922106
SHA2560eaa367f3ec4b1089b971edb68a7eaf8ac3f1b5cbcc2a2450bacafeaf10ee998
SHA5121a948feb37a7d9fdc9cecb86937e975618d3e1ddabae6469eeef580dfb8f1952942aa66aeb984d6d9672d6560dce6724b4828055524cc41e9e83a8a44a443d48
-
MD5
0755f6b1c814be85741da115132d4a14
SHA1abd99ed3d3d8d63faa7931099293e0b9a2922106
SHA2560eaa367f3ec4b1089b971edb68a7eaf8ac3f1b5cbcc2a2450bacafeaf10ee998
SHA5121a948feb37a7d9fdc9cecb86937e975618d3e1ddabae6469eeef580dfb8f1952942aa66aeb984d6d9672d6560dce6724b4828055524cc41e9e83a8a44a443d48