Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12/02/2022, 06:40
Static task
static1
Behavioral task
behavioral1
Sample
0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe
Resource
win10v2004-en-20220113
General
-
Target
0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe
-
Size
101KB
-
MD5
fd6633c46807bfe4822fff86fd5c8cbf
-
SHA1
16312dbd0a25d2dc345f7acd3eec67cdb8385bc2
-
SHA256
0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1
-
SHA512
d5fa2d054f73265081f1ecc7432f6f52c1f737ca3287f418828ee676829b960a681c5b67db20487eaa1e10e4db44aea185c6ed638b438ccddd1a7e3f6ece7bbb
Malware Config
Signatures
-
Sakula Payload 2 IoCs
resource yara_rule behavioral2/files/0x000600000001e8de-130.dat family_sakula behavioral2/files/0x000600000001e8de-131.dat family_sakula -
Executes dropped EXE 1 IoCs
pid Process 3336 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3968 PING.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2924 svchost.exe Token: SeCreatePagefilePrivilege 2924 svchost.exe Token: SeShutdownPrivilege 2924 svchost.exe Token: SeCreatePagefilePrivilege 2924 svchost.exe Token: SeShutdownPrivilege 2924 svchost.exe Token: SeCreatePagefilePrivilege 2924 svchost.exe Token: SeIncBasePriorityPrivilege 2972 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2972 wrote to memory of 3336 2972 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe 82 PID 2972 wrote to memory of 3336 2972 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe 82 PID 2972 wrote to memory of 3336 2972 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe 82 PID 2972 wrote to memory of 2272 2972 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe 98 PID 2972 wrote to memory of 2272 2972 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe 98 PID 2972 wrote to memory of 2272 2972 0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe 98 PID 2272 wrote to memory of 3968 2272 cmd.exe 100 PID 2272 wrote to memory of 3968 2272 cmd.exe 100 PID 2272 wrote to memory of 3968 2272 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe"C:\Users\Admin\AppData\Local\Temp\0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3336
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f56fc40e36fcf3b6fbef42315c3c91f76b7e2f6ed6d089849a54694c6e9e3e1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3968
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2052