Analysis
-
max time kernel
128s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:25
Static task
static1
Behavioral task
behavioral1
Sample
0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe
Resource
win10v2004-en-20220113
General
-
Target
0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe
-
Size
79KB
-
MD5
afdf7b10573b9b64552217161c12b49e
-
SHA1
eadde779cce61de777ed61389e7a3f9f542e119e
-
SHA256
0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1
-
SHA512
a36559e3a1a1c602b7ba28c332d0861d482823d4440c76a827e4fb6e2ea2d9d87e5708200251ab188b002c6fe3a83b8811ff13411c13e66d17a9749018a5d8f0
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3512 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exedescription pid process Token: SeShutdownPrivilege 928 svchost.exe Token: SeCreatePagefilePrivilege 928 svchost.exe Token: SeShutdownPrivilege 928 svchost.exe Token: SeCreatePagefilePrivilege 928 svchost.exe Token: SeShutdownPrivilege 928 svchost.exe Token: SeCreatePagefilePrivilege 928 svchost.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeIncBasePriorityPrivilege 3216 0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe Token: SeBackupPrivilege 4836 TiWorker.exe Token: SeRestorePrivilege 4836 TiWorker.exe Token: SeSecurityPrivilege 4836 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.execmd.exedescription pid process target process PID 3216 wrote to memory of 3512 3216 0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe MediaCenter.exe PID 3216 wrote to memory of 3512 3216 0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe MediaCenter.exe PID 3216 wrote to memory of 3512 3216 0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe MediaCenter.exe PID 3216 wrote to memory of 5064 3216 0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe cmd.exe PID 3216 wrote to memory of 5064 3216 0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe cmd.exe PID 3216 wrote to memory of 5064 3216 0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe cmd.exe PID 5064 wrote to memory of 4200 5064 cmd.exe PING.EXE PID 5064 wrote to memory of 4200 5064 cmd.exe PING.EXE PID 5064 wrote to memory of 4200 5064 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe"C:\Users\Admin\AppData\Local\Temp\0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0da1e0a437614c47ffa88b209eacb132d749de87911d739f9f952e1902e9c6f1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4200
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:928
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
273a8dbc9b12cf7731b3762f3db019e5
SHA1d794da842aa099f74fa9fe8c05434f165374acf7
SHA256be6a1feff9b2bcbcc520adb0781f28980eee30e1f1821d5abad7508d2c13770b
SHA5124e869f2783bf7f83f676821b384258246f71b0e3d26d48086eed2943d5d7c20001fbe360838315311735a11d2ee6145140b6350ebfa475e60d727a0be677646a
-
MD5
273a8dbc9b12cf7731b3762f3db019e5
SHA1d794da842aa099f74fa9fe8c05434f165374acf7
SHA256be6a1feff9b2bcbcc520adb0781f28980eee30e1f1821d5abad7508d2c13770b
SHA5124e869f2783bf7f83f676821b384258246f71b0e3d26d48086eed2943d5d7c20001fbe360838315311735a11d2ee6145140b6350ebfa475e60d727a0be677646a