Analysis
-
max time kernel
156s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:24
Static task
static1
Behavioral task
behavioral1
Sample
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe
Resource
win10v2004-en-20220113
General
-
Target
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe
-
Size
99KB
-
MD5
d2616dfac129f2af6b893987fb787584
-
SHA1
3b2ada756586062e3144696b9fed16bf65e30697
-
SHA256
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad
-
SHA512
057f1c2d8ec830f875122dc5700bd1d2cc5ad5804a1c9d7fdf043a56425b80da2c5d9226afb9e055d8800a9d8ddde1d8a8de9c3d9088fe575b9ed71365b5d0a9
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3628 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1376 svchost.exe Token: SeCreatePagefilePrivilege 1376 svchost.exe Token: SeShutdownPrivilege 1376 svchost.exe Token: SeCreatePagefilePrivilege 1376 svchost.exe Token: SeShutdownPrivilege 1376 svchost.exe Token: SeCreatePagefilePrivilege 1376 svchost.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe Token: SeRestorePrivilege 2092 TiWorker.exe Token: SeSecurityPrivilege 2092 TiWorker.exe Token: SeBackupPrivilege 2092 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.execmd.exedescription pid process target process PID 4472 wrote to memory of 3628 4472 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe MediaCenter.exe PID 4472 wrote to memory of 3628 4472 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe MediaCenter.exe PID 4472 wrote to memory of 3628 4472 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe MediaCenter.exe PID 4472 wrote to memory of 4528 4472 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe cmd.exe PID 4472 wrote to memory of 4528 4472 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe cmd.exe PID 4472 wrote to memory of 4528 4472 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe cmd.exe PID 4528 wrote to memory of 4264 4528 cmd.exe PING.EXE PID 4528 wrote to memory of 4264 4528 cmd.exe PING.EXE PID 4528 wrote to memory of 4264 4528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe"C:\Users\Admin\AppData\Local\Temp\0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ee594271984c4e1b517474726b03c385
SHA1f861126e7c1549e1d36d8e812a37f92ee0df88c5
SHA256fb8ad7dce28bc6cc4d3524b9c529d2d6c68071a9d893e05ac01771aeec81d2c9
SHA512278e899d9d56f43a4476b192dd488227d5ce9cfc3a9df4601b35688a214c3566d8e438979dcf7fa7280c59d0e4d0fad93431e25147b938323160abdd2b9eb4eb
-
MD5
ee594271984c4e1b517474726b03c385
SHA1f861126e7c1549e1d36d8e812a37f92ee0df88c5
SHA256fb8ad7dce28bc6cc4d3524b9c529d2d6c68071a9d893e05ac01771aeec81d2c9
SHA512278e899d9d56f43a4476b192dd488227d5ce9cfc3a9df4601b35688a214c3566d8e438979dcf7fa7280c59d0e4d0fad93431e25147b938323160abdd2b9eb4eb