Analysis
-
max time kernel
161s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:39
Static task
static1
Behavioral task
behavioral1
Sample
0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe
Resource
win10v2004-en-20220113
General
-
Target
0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe
-
Size
101KB
-
MD5
ff9641541516d4a9967cc3ab3ee42645
-
SHA1
be27868c462630a5c8e000dffe49bff8a3c659e4
-
SHA256
0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7
-
SHA512
cf4541029a619cd71fcab55bbb54b0289c8e00f2485ac9e1adbffde2071b6861ee158666f660ff01a73edd8abe0636289c5febb710ff6d26d16d56d37ce36a54
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2764 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3344 svchost.exe Token: SeCreatePagefilePrivilege 3344 svchost.exe Token: SeShutdownPrivilege 3344 svchost.exe Token: SeCreatePagefilePrivilege 3344 svchost.exe Token: SeShutdownPrivilege 3344 svchost.exe Token: SeCreatePagefilePrivilege 3344 svchost.exe Token: SeIncBasePriorityPrivilege 4548 0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe Token: SeBackupPrivilege 4424 TiWorker.exe Token: SeRestorePrivilege 4424 TiWorker.exe Token: SeSecurityPrivilege 4424 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.execmd.exedescription pid process target process PID 4548 wrote to memory of 2764 4548 0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe MediaCenter.exe PID 4548 wrote to memory of 2764 4548 0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe MediaCenter.exe PID 4548 wrote to memory of 2764 4548 0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe MediaCenter.exe PID 4548 wrote to memory of 2144 4548 0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe cmd.exe PID 4548 wrote to memory of 2144 4548 0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe cmd.exe PID 4548 wrote to memory of 2144 4548 0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe cmd.exe PID 2144 wrote to memory of 2112 2144 cmd.exe PING.EXE PID 2144 wrote to memory of 2112 2144 cmd.exe PING.EXE PID 2144 wrote to memory of 2112 2144 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe"C:\Users\Admin\AppData\Local\Temp\0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f59b967edc7239c3d8869d516b06b25349f8d24a2a57f016094c9322194e0c7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4424
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b1cfccb6ec0d5106bc327ad39f75968a
SHA13e9c7ce21021c44707978884e60a9d3676df2a18
SHA2562b0aed8fc2b60e7d30087658fd468a3ee2ca5cc56e0a9c69fb20adec6f386b54
SHA512045822ddac6674036ed7f5272e62fcc89bde7ea0ac7e08d29f3e9031ce4661638e59ed7043db2e1145c3a93423da00a230cd398070a3f52c324adfaa16bccbd5
-
MD5
b1cfccb6ec0d5106bc327ad39f75968a
SHA13e9c7ce21021c44707978884e60a9d3676df2a18
SHA2562b0aed8fc2b60e7d30087658fd468a3ee2ca5cc56e0a9c69fb20adec6f386b54
SHA512045822ddac6674036ed7f5272e62fcc89bde7ea0ac7e08d29f3e9031ce4661638e59ed7043db2e1145c3a93423da00a230cd398070a3f52c324adfaa16bccbd5