Analysis
-
max time kernel
163s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:42
Static task
static1
Behavioral task
behavioral1
Sample
0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe
Resource
win10v2004-en-20220113
General
-
Target
0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe
-
Size
80KB
-
MD5
fcbc0b32c4113122ea24e3d862137273
-
SHA1
f715b292a1093fbb0adfb9aa572ef94469feeb75
-
SHA256
0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade
-
SHA512
a8cbc85bfd58598ad27f96c533c4e9c417eaaf99bebe9127b953a7ac75fb80794ba88bf863b775730806a4f5908ac9b007471ac91172bc2243584db49f9fc5df
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 5020 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 876 0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe Token: SeShutdownPrivilege 2680 svchost.exe Token: SeCreatePagefilePrivilege 2680 svchost.exe Token: SeShutdownPrivilege 2680 svchost.exe Token: SeCreatePagefilePrivilege 2680 svchost.exe Token: SeShutdownPrivilege 2680 svchost.exe Token: SeCreatePagefilePrivilege 2680 svchost.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe Token: SeBackupPrivilege 4116 TiWorker.exe Token: SeRestorePrivilege 4116 TiWorker.exe Token: SeSecurityPrivilege 4116 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.execmd.exedescription pid process target process PID 876 wrote to memory of 5020 876 0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe MediaCenter.exe PID 876 wrote to memory of 5020 876 0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe MediaCenter.exe PID 876 wrote to memory of 5020 876 0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe MediaCenter.exe PID 876 wrote to memory of 568 876 0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe cmd.exe PID 876 wrote to memory of 568 876 0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe cmd.exe PID 876 wrote to memory of 568 876 0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe cmd.exe PID 568 wrote to memory of 4976 568 cmd.exe PING.EXE PID 568 wrote to memory of 4976 568 cmd.exe PING.EXE PID 568 wrote to memory of 4976 568 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe"C:\Users\Admin\AppData\Local\Temp\0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f2cc9a87ef715c4f456463fddaedfda931b205bf0331aab007790d1bd2c3ade.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
31903804a66ad29b22da016fa42224ef
SHA195e0083d1805296a2bf9713bf7e91fdeb4dd805b
SHA256ede91d0e1bc890bdfbcdef6ee5bdb3dd96c23aec5ef78c7df718ab09f2cce4dc
SHA512f8019b9ea4d1c8dcd081699c344f1b0c79048a155dbeaafbb6a95d3147c70aacb14e502ead1b1ba35f7bb845ea1bac62714fbbd93b7af92ef4c4100101934038
-
MD5
31903804a66ad29b22da016fa42224ef
SHA195e0083d1805296a2bf9713bf7e91fdeb4dd805b
SHA256ede91d0e1bc890bdfbcdef6ee5bdb3dd96c23aec5ef78c7df718ab09f2cce4dc
SHA512f8019b9ea4d1c8dcd081699c344f1b0c79048a155dbeaafbb6a95d3147c70aacb14e502ead1b1ba35f7bb845ea1bac62714fbbd93b7af92ef4c4100101934038