Analysis
-
max time kernel
145s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:21
Static task
static1
Behavioral task
behavioral1
Sample
0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe
Resource
win10v2004-en-20220113
General
-
Target
0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe
-
Size
216KB
-
MD5
98f065347843bde16fb0c96042555b63
-
SHA1
726e024f15cb8f4cb4d2602c20f3056ffbe485cb
-
SHA256
0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e
-
SHA512
f655eb49c0eb6dc6ae85ff896bf20eccc33bcfbad06734fc28ecafb29522d13f4859c9a9a610e392587ce11de32e0e042e8f860076394bc35333cdac46a00bf8
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/5040-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/3904-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3904 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4436 svchost.exe Token: SeCreatePagefilePrivilege 4436 svchost.exe Token: SeShutdownPrivilege 4436 svchost.exe Token: SeCreatePagefilePrivilege 4436 svchost.exe Token: SeShutdownPrivilege 4436 svchost.exe Token: SeCreatePagefilePrivilege 4436 svchost.exe Token: SeIncBasePriorityPrivilege 5040 0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe Token: SeBackupPrivilege 2952 TiWorker.exe Token: SeRestorePrivilege 2952 TiWorker.exe Token: SeSecurityPrivilege 2952 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.execmd.exedescription pid process target process PID 5040 wrote to memory of 3904 5040 0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe MediaCenter.exe PID 5040 wrote to memory of 3904 5040 0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe MediaCenter.exe PID 5040 wrote to memory of 3904 5040 0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe MediaCenter.exe PID 5040 wrote to memory of 3568 5040 0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe cmd.exe PID 5040 wrote to memory of 3568 5040 0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe cmd.exe PID 5040 wrote to memory of 3568 5040 0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe cmd.exe PID 3568 wrote to memory of 4992 3568 cmd.exe PING.EXE PID 3568 wrote to memory of 4992 3568 cmd.exe PING.EXE PID 3568 wrote to memory of 4992 3568 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe"C:\Users\Admin\AppData\Local\Temp\0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dd2f95ab33eeccb4d6d4485f499ed32aa76ef2dd36d56d75d47aa4943cd340e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
54f6a30dd6ba11cd44bfad13953cd257
SHA16c80376c8125c7f87c4d4a7e17f3d35c4a8541b8
SHA2561a5dff2358204161e64d881b5e9502eaf7cf15b82dc578675c938461e0f6335a
SHA512ed0c4d39fce0587f9e17aca8ddbc44574cace3f58740c36db9a53a188b5f91428e02c7bd42feacd8c804949cbe636fdeca2e7dac43310765d43e806351386262
-
MD5
54f6a30dd6ba11cd44bfad13953cd257
SHA16c80376c8125c7f87c4d4a7e17f3d35c4a8541b8
SHA2561a5dff2358204161e64d881b5e9502eaf7cf15b82dc578675c938461e0f6335a
SHA512ed0c4d39fce0587f9e17aca8ddbc44574cace3f58740c36db9a53a188b5f91428e02c7bd42feacd8c804949cbe636fdeca2e7dac43310765d43e806351386262