Analysis
-
max time kernel
158s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:21
Static task
static1
Behavioral task
behavioral1
Sample
0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe
Resource
win10v2004-en-20220113
General
-
Target
0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe
-
Size
176KB
-
MD5
ab6aeafd080e5e9dc4100419d49b06b8
-
SHA1
f5d7f1cc5c2acd48c5a2dbf27a99670f8a43c6ee
-
SHA256
0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420
-
SHA512
dca4b279fa04fe69eed846199fa8867bc90d30d5952110c9d04213022371b4298ef87e436399c0a1fe75aea3fadb0ae3e275b146adfcbdd24dd49b2084af71a6
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3256-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4548-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4548 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 992 svchost.exe Token: SeCreatePagefilePrivilege 992 svchost.exe Token: SeShutdownPrivilege 992 svchost.exe Token: SeCreatePagefilePrivilege 992 svchost.exe Token: SeShutdownPrivilege 992 svchost.exe Token: SeCreatePagefilePrivilege 992 svchost.exe Token: SeIncBasePriorityPrivilege 3256 0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe Token: SeBackupPrivilege 3928 TiWorker.exe Token: SeRestorePrivilege 3928 TiWorker.exe Token: SeSecurityPrivilege 3928 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.execmd.exedescription pid process target process PID 3256 wrote to memory of 4548 3256 0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe MediaCenter.exe PID 3256 wrote to memory of 4548 3256 0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe MediaCenter.exe PID 3256 wrote to memory of 4548 3256 0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe MediaCenter.exe PID 3256 wrote to memory of 3856 3256 0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe cmd.exe PID 3256 wrote to memory of 3856 3256 0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe cmd.exe PID 3256 wrote to memory of 3856 3256 0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe cmd.exe PID 3856 wrote to memory of 1792 3856 cmd.exe PING.EXE PID 3856 wrote to memory of 1792 3856 cmd.exe PING.EXE PID 3856 wrote to memory of 1792 3856 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe"C:\Users\Admin\AppData\Local\Temp\0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dd1c4d21c6eb074ec6b28bda0273679a0a7d070f2ec882ca273821adf182420.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:992
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3c01e4d18ef3f6e8dc4c3b1bfe2cde3b
SHA1be5fcbd987ffb045707f9d06ca66396e82640548
SHA256ff91c2bd92f0cec755b0121a856c415d60755376ecec42174b82e9ddddd116b5
SHA5124dccc5f7bc8612e91196d240a5ee8d821ececaa4b2ef974c83b9375525b09a8482072df9afe13dc0c8d07f098211804a845368b9b60458f78b26bdcabf0fbb82
-
MD5
3c01e4d18ef3f6e8dc4c3b1bfe2cde3b
SHA1be5fcbd987ffb045707f9d06ca66396e82640548
SHA256ff91c2bd92f0cec755b0121a856c415d60755376ecec42174b82e9ddddd116b5
SHA5124dccc5f7bc8612e91196d240a5ee8d821ececaa4b2ef974c83b9375525b09a8482072df9afe13dc0c8d07f098211804a845368b9b60458f78b26bdcabf0fbb82