Analysis
-
max time kernel
151s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:44
Static task
static1
Behavioral task
behavioral1
Sample
0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe
Resource
win10v2004-en-20220113
General
-
Target
0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe
-
Size
101KB
-
MD5
7426387a8c56f0b812d64cf8cc605557
-
SHA1
85f0e7c44a20a4cb26ab40ef37f73fe2dd609757
-
SHA256
0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f
-
SHA512
c39a7faf59b55d1012afda2173672eeba4b4ff66324cc729c9c14373aa32b1c44cd40fecf730e56bdf83bf46a9ef685b64afc5327e38a5f1ab9e16f5fba40bad
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1876 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4888 svchost.exe Token: SeCreatePagefilePrivilege 4888 svchost.exe Token: SeShutdownPrivilege 4888 svchost.exe Token: SeCreatePagefilePrivilege 4888 svchost.exe Token: SeShutdownPrivilege 4888 svchost.exe Token: SeCreatePagefilePrivilege 4888 svchost.exe Token: SeIncBasePriorityPrivilege 5064 0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe Token: SeBackupPrivilege 4944 TiWorker.exe Token: SeRestorePrivilege 4944 TiWorker.exe Token: SeSecurityPrivilege 4944 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.execmd.exedescription pid process target process PID 5064 wrote to memory of 1876 5064 0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe MediaCenter.exe PID 5064 wrote to memory of 1876 5064 0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe MediaCenter.exe PID 5064 wrote to memory of 1876 5064 0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe MediaCenter.exe PID 5064 wrote to memory of 4700 5064 0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe cmd.exe PID 5064 wrote to memory of 4700 5064 0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe cmd.exe PID 5064 wrote to memory of 4700 5064 0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe cmd.exe PID 4700 wrote to memory of 3520 4700 cmd.exe PING.EXE PID 4700 wrote to memory of 3520 4700 cmd.exe PING.EXE PID 4700 wrote to memory of 3520 4700 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe"C:\Users\Admin\AppData\Local\Temp\0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f1b5bcc1fd902a481d402643b3be555ab17fab2460ebf70a9b73c196f22c95f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bee09fcb077d3c7b94bcdd9ad55270ff
SHA1baabc3ef05e773de20fe15625b217313a93b1681
SHA256161ea02ccc4615d270f133af05f817b4b407a71560720227589bb47fbc1b273a
SHA51295a93eaa36f74cdd307df2e5fdb3a219f0ced24b1f83a80d376a821fd8462099731a05e04b78317a79fbe3d8e092945f28bc1c99bc01d275152d667f7ffd16b8
-
MD5
bee09fcb077d3c7b94bcdd9ad55270ff
SHA1baabc3ef05e773de20fe15625b217313a93b1681
SHA256161ea02ccc4615d270f133af05f817b4b407a71560720227589bb47fbc1b273a
SHA51295a93eaa36f74cdd307df2e5fdb3a219f0ced24b1f83a80d376a821fd8462099731a05e04b78317a79fbe3d8e092945f28bc1c99bc01d275152d667f7ffd16b8