Analysis
-
max time kernel
162s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:33
Static task
static1
Behavioral task
behavioral1
Sample
0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe
Resource
win10v2004-en-20220113
General
-
Target
0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe
-
Size
100KB
-
MD5
558c30fafb4b5965608665349b5a4383
-
SHA1
3aab02586c61167641cc2f29540e01a9a221ed56
-
SHA256
0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3
-
SHA512
478d713a21b4dc7aa449fa4965991ccacc1b4b15ad2c0fe5f8191542ce945b218fa85d8ec550e2e26f6339258bae5a9d504801eac946a6807200357f46e71b4f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3148 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4756 svchost.exe Token: SeCreatePagefilePrivilege 4756 svchost.exe Token: SeShutdownPrivilege 4756 svchost.exe Token: SeCreatePagefilePrivilege 4756 svchost.exe Token: SeShutdownPrivilege 4756 svchost.exe Token: SeCreatePagefilePrivilege 4756 svchost.exe Token: SeIncBasePriorityPrivilege 4476 0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe Token: SeBackupPrivilege 2492 TiWorker.exe Token: SeRestorePrivilege 2492 TiWorker.exe Token: SeSecurityPrivilege 2492 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.execmd.exedescription pid process target process PID 4476 wrote to memory of 3148 4476 0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe MediaCenter.exe PID 4476 wrote to memory of 3148 4476 0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe MediaCenter.exe PID 4476 wrote to memory of 3148 4476 0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe MediaCenter.exe PID 4476 wrote to memory of 4372 4476 0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe cmd.exe PID 4476 wrote to memory of 4372 4476 0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe cmd.exe PID 4476 wrote to memory of 4372 4476 0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe cmd.exe PID 4372 wrote to memory of 1092 4372 cmd.exe PING.EXE PID 4372 wrote to memory of 1092 4372 cmd.exe PING.EXE PID 4372 wrote to memory of 1092 4372 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe"C:\Users\Admin\AppData\Local\Temp\0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fa73e6d6621719627823d60c06098df99b8ffb8b04560293abb0f2094dc0df3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a85f0b80457d7e94e6c0fbaaacaa2cae
SHA15939633370f9c62db82017d111a31a11f9de6737
SHA256a5b575e92dcb34d766981ced9285e987879882b84101f332f6735664ab6af408
SHA512c165e1a74e745e40181033dda32ea7fb3d147166ac53daa52035351fd1aa4da38e1f2b79848453012ae0fe28425334d9d003d0b70d6406a44921b71ae172844d
-
MD5
a85f0b80457d7e94e6c0fbaaacaa2cae
SHA15939633370f9c62db82017d111a31a11f9de6737
SHA256a5b575e92dcb34d766981ced9285e987879882b84101f332f6735664ab6af408
SHA512c165e1a74e745e40181033dda32ea7fb3d147166ac53daa52035351fd1aa4da38e1f2b79848453012ae0fe28425334d9d003d0b70d6406a44921b71ae172844d