Analysis
-
max time kernel
144s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:43
Static task
static1
Behavioral task
behavioral1
Sample
0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe
Resource
win10v2004-en-20220113
General
-
Target
0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe
-
Size
80KB
-
MD5
1612865fe47c9e00127acceafa3536a5
-
SHA1
ee68a7558d4b00db8f596add181472ec86e02a20
-
SHA256
0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0
-
SHA512
d2ebfae0f971ec01b62f8a18e41d81c73c93910dd19dfb7d607e7d4271016578a037202cac5c6abd7737e3d49666e4971d7348edb3714182ec38dccf192455dd
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4032 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3408 svchost.exe Token: SeCreatePagefilePrivilege 3408 svchost.exe Token: SeShutdownPrivilege 3408 svchost.exe Token: SeCreatePagefilePrivilege 3408 svchost.exe Token: SeShutdownPrivilege 3408 svchost.exe Token: SeCreatePagefilePrivilege 3408 svchost.exe Token: SeIncBasePriorityPrivilege 4976 0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe Token: SeBackupPrivilege 3260 TiWorker.exe Token: SeRestorePrivilege 3260 TiWorker.exe Token: SeSecurityPrivilege 3260 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.execmd.exedescription pid process target process PID 4976 wrote to memory of 4032 4976 0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe MediaCenter.exe PID 4976 wrote to memory of 4032 4976 0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe MediaCenter.exe PID 4976 wrote to memory of 4032 4976 0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe MediaCenter.exe PID 4976 wrote to memory of 4308 4976 0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe cmd.exe PID 4976 wrote to memory of 4308 4976 0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe cmd.exe PID 4976 wrote to memory of 4308 4976 0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe cmd.exe PID 4308 wrote to memory of 4612 4308 cmd.exe PING.EXE PID 4308 wrote to memory of 4612 4308 cmd.exe PING.EXE PID 4308 wrote to memory of 4612 4308 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe"C:\Users\Admin\AppData\Local\Temp\0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f2a84ea0aa829e7b3fba3eafa2a1b8e425546f0d85fdd217f86ed7b8ed6a0e0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5d9665f8cd389955843285d2b49b880e
SHA1f670df88f498e34a4da8572bd13a2573fb5a90b2
SHA2562da42ddb1517edb946dbcb4e5838031264a96a3a214ed6cb72a7b19b5af33682
SHA512b56a63dc61bac0bbe7ac0db624c5b7f1e8a248b081a917e3e4b63ab5c9e4899ffca928ce6ba16339def29cdc94090e2431cc887a208680f9809bd0eab7ad8c78
-
MD5
5d9665f8cd389955843285d2b49b880e
SHA1f670df88f498e34a4da8572bd13a2573fb5a90b2
SHA2562da42ddb1517edb946dbcb4e5838031264a96a3a214ed6cb72a7b19b5af33682
SHA512b56a63dc61bac0bbe7ac0db624c5b7f1e8a248b081a917e3e4b63ab5c9e4899ffca928ce6ba16339def29cdc94090e2431cc887a208680f9809bd0eab7ad8c78