Analysis
-
max time kernel
153s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:24
Static task
static1
Behavioral task
behavioral1
Sample
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe
Resource
win10v2004-en-20220113
General
-
Target
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe
-
Size
79KB
-
MD5
f1bb11a03dc06d65a0df3a2da49d8e7b
-
SHA1
9d7bd4ea013bf34406d7bb9c500e25b29a158db0
-
SHA256
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357
-
SHA512
638c7f384d876618b608cdd75735b8c2fa0fc94573e9b8b07f445bd6e6be224df062de7000783bcb26be9d6928092878f9b5fe692c9bd18e5de248d8b376ba86
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1672 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 4116 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe Token: SeShutdownPrivilege 1156 svchost.exe Token: SeCreatePagefilePrivilege 1156 svchost.exe Token: SeShutdownPrivilege 1156 svchost.exe Token: SeCreatePagefilePrivilege 1156 svchost.exe Token: SeShutdownPrivilege 1156 svchost.exe Token: SeCreatePagefilePrivilege 1156 svchost.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe Token: SeBackupPrivilege 4064 TiWorker.exe Token: SeRestorePrivilege 4064 TiWorker.exe Token: SeSecurityPrivilege 4064 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.execmd.exedescription pid process target process PID 4116 wrote to memory of 1672 4116 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe MediaCenter.exe PID 4116 wrote to memory of 1672 4116 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe MediaCenter.exe PID 4116 wrote to memory of 1672 4116 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe MediaCenter.exe PID 4116 wrote to memory of 4504 4116 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe cmd.exe PID 4116 wrote to memory of 4504 4116 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe cmd.exe PID 4116 wrote to memory of 4504 4116 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe cmd.exe PID 4504 wrote to memory of 1000 4504 cmd.exe PING.EXE PID 4504 wrote to memory of 1000 4504 cmd.exe PING.EXE PID 4504 wrote to memory of 1000 4504 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe"C:\Users\Admin\AppData\Local\Temp\0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5377f4d83af579203cb7861fd1257726
SHA173dafb2875bdb014be4c7d15da77c03281ced55c
SHA25636fd37de6df566a26995638382afb1a908511ebdcc35d6af1ed5e7cca680d501
SHA5122a849d418d7cb2d6c7093abbef3fe9295a0edb83807ff95e3538fe09c675de87e5ef18eabc58d21c67db21dd1af4eb86d010bb1e0237ff101178587fa833a13e
-
MD5
5377f4d83af579203cb7861fd1257726
SHA173dafb2875bdb014be4c7d15da77c03281ced55c
SHA25636fd37de6df566a26995638382afb1a908511ebdcc35d6af1ed5e7cca680d501
SHA5122a849d418d7cb2d6c7093abbef3fe9295a0edb83807ff95e3538fe09c675de87e5ef18eabc58d21c67db21dd1af4eb86d010bb1e0237ff101178587fa833a13e