Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:40
Static task
static1
Behavioral task
behavioral1
Sample
0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe
Resource
win10v2004-en-20220113
General
-
Target
0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe
-
Size
101KB
-
MD5
fd6633c46807bfe4822fff86fd5c8cbf
-
SHA1
16312dbd0a25d2dc345f7acd3eec67cdb8385bc2
-
SHA256
0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1
-
SHA512
d5fa2d054f73265081f1ecc7432f6f52c1f737ca3287f418828ee676829b960a681c5b67db20487eaa1e10e4db44aea185c6ed638b438ccddd1a7e3f6ece7bbb
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3336 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2924 svchost.exe Token: SeCreatePagefilePrivilege 2924 svchost.exe Token: SeShutdownPrivilege 2924 svchost.exe Token: SeCreatePagefilePrivilege 2924 svchost.exe Token: SeShutdownPrivilege 2924 svchost.exe Token: SeCreatePagefilePrivilege 2924 svchost.exe Token: SeIncBasePriorityPrivilege 2972 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.execmd.exedescription pid process target process PID 2972 wrote to memory of 3336 2972 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe MediaCenter.exe PID 2972 wrote to memory of 3336 2972 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe MediaCenter.exe PID 2972 wrote to memory of 3336 2972 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe MediaCenter.exe PID 2972 wrote to memory of 2272 2972 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe cmd.exe PID 2972 wrote to memory of 2272 2972 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe cmd.exe PID 2972 wrote to memory of 2272 2972 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe cmd.exe PID 2272 wrote to memory of 3968 2272 cmd.exe PING.EXE PID 2272 wrote to memory of 3968 2272 cmd.exe PING.EXE PID 2272 wrote to memory of 3968 2272 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe"C:\Users\Admin\AppData\Local\Temp\0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ef5a11e82d7b38a7f783524b3934a15b
SHA18bfe386f72ec78b4f04d6be6aad04601deeac6d5
SHA2563c03b398c63bec6459e9b0d0beebd77a2eeee843cefc956c31b68f7760d6fb5c
SHA51251e38fecc1fa5dc85a32afe10f129f1b05727a47aefb9fb79ccd582c515fd0507271ac17eec0db259c5c87e0e74cd79a148fe355e58e812786f40ebb7429f278
-
MD5
ef5a11e82d7b38a7f783524b3934a15b
SHA18bfe386f72ec78b4f04d6be6aad04601deeac6d5
SHA2563c03b398c63bec6459e9b0d0beebd77a2eeee843cefc956c31b68f7760d6fb5c
SHA51251e38fecc1fa5dc85a32afe10f129f1b05727a47aefb9fb79ccd582c515fd0507271ac17eec0db259c5c87e0e74cd79a148fe355e58e812786f40ebb7429f278