Analysis
-
max time kernel
133s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 06:57
Static task
static1
Behavioral task
behavioral1
Sample
0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe
Resource
win10v2004-en-20220113
General
-
Target
0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe
-
Size
176KB
-
MD5
d4d02c858c0d25c3adfc757da1e0f95b
-
SHA1
29a35abe6320ef66e377f48b442bf099e30b97f0
-
SHA256
0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b
-
SHA512
87701ae464ef0e986bd8148c965a094cd9ed0695e748ce3d18374426933426546e0fc48c4e9067b75ddaef4598c9592f533fbd3d6ceaf8aa4be410db4ff2e520
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3276-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4456-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4456 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4984 svchost.exe Token: SeCreatePagefilePrivilege 4984 svchost.exe Token: SeShutdownPrivilege 4984 svchost.exe Token: SeCreatePagefilePrivilege 4984 svchost.exe Token: SeShutdownPrivilege 4984 svchost.exe Token: SeCreatePagefilePrivilege 4984 svchost.exe Token: SeIncBasePriorityPrivilege 3276 0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe Token: SeBackupPrivilege 1308 TiWorker.exe Token: SeRestorePrivilege 1308 TiWorker.exe Token: SeSecurityPrivilege 1308 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.execmd.exedescription pid process target process PID 3276 wrote to memory of 4456 3276 0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe MediaCenter.exe PID 3276 wrote to memory of 4456 3276 0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe MediaCenter.exe PID 3276 wrote to memory of 4456 3276 0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe MediaCenter.exe PID 3276 wrote to memory of 3564 3276 0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe cmd.exe PID 3276 wrote to memory of 3564 3276 0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe cmd.exe PID 3276 wrote to memory of 3564 3276 0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe cmd.exe PID 3564 wrote to memory of 4960 3564 cmd.exe PING.EXE PID 3564 wrote to memory of 4960 3564 cmd.exe PING.EXE PID 3564 wrote to memory of 4960 3564 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe"C:\Users\Admin\AppData\Local\Temp\0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0eee001af7e0e8cb7550a7277814d69393eaec09e6fcf418be00cdae865b6a6b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c6b7a0ea3be6ce8afa39d9b38ffd9524
SHA121e352b67f400e11bdda3d5f739a90b2c01aad17
SHA256b0c9bf7260847ffdc144b7ede08e76275a8b3795244dd03c6fefa3cddab3f19a
SHA512eed8727df712dc2b4221db963ea7e403053644960df7a2cf73277726f6a07a18b5a516d831c89cb8ba368bae0a361c1ee77e0cf636be6d1bef337ac3450a8440
-
MD5
c6b7a0ea3be6ce8afa39d9b38ffd9524
SHA121e352b67f400e11bdda3d5f739a90b2c01aad17
SHA256b0c9bf7260847ffdc144b7ede08e76275a8b3795244dd03c6fefa3cddab3f19a
SHA512eed8727df712dc2b4221db963ea7e403053644960df7a2cf73277726f6a07a18b5a516d831c89cb8ba368bae0a361c1ee77e0cf636be6d1bef337ac3450a8440