Analysis
-
max time kernel
139s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:07
Static task
static1
Behavioral task
behavioral1
Sample
0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe
Resource
win10v2004-en-20220113
General
-
Target
0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe
-
Size
99KB
-
MD5
d94ca4a57b10b4afb2f6373c0ae4b924
-
SHA1
799810533a613e68eedd97bb2c7f599ca2c5424e
-
SHA256
0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da
-
SHA512
3c67b746fe6c3bf10181a5a000d191d64f611d222900fccaf51bc72ae18fda69d7690c7aa8934612cae7d5c645dba66e3f445bbc5b1759e508643a97fe99953b
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4628 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3672 svchost.exe Token: SeCreatePagefilePrivilege 3672 svchost.exe Token: SeShutdownPrivilege 3672 svchost.exe Token: SeCreatePagefilePrivilege 3672 svchost.exe Token: SeShutdownPrivilege 3672 svchost.exe Token: SeCreatePagefilePrivilege 3672 svchost.exe Token: SeIncBasePriorityPrivilege 3384 0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe Token: SeBackupPrivilege 2208 TiWorker.exe Token: SeRestorePrivilege 2208 TiWorker.exe Token: SeSecurityPrivilege 2208 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.execmd.exedescription pid process target process PID 3384 wrote to memory of 4628 3384 0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe MediaCenter.exe PID 3384 wrote to memory of 4628 3384 0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe MediaCenter.exe PID 3384 wrote to memory of 4628 3384 0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe MediaCenter.exe PID 3384 wrote to memory of 1488 3384 0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe cmd.exe PID 3384 wrote to memory of 1488 3384 0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe cmd.exe PID 3384 wrote to memory of 1488 3384 0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe cmd.exe PID 1488 wrote to memory of 1204 1488 cmd.exe PING.EXE PID 1488 wrote to memory of 1204 1488 cmd.exe PING.EXE PID 1488 wrote to memory of 1204 1488 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe"C:\Users\Admin\AppData\Local\Temp\0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e7f5a53b6b0fbfafdc23ae9d47441e3b40cc1292f85ec06eca4a21ebc1a41da.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1204
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
eded2be5eedcf7eeacce37bca2852326
SHA1d150c574999217c3e4bcfcbd2e22fe7a5089ce70
SHA25614de0262f819c065cea9fb98b61f5bae54513a62c8cf78b4bbc434a772b16b43
SHA512e2ad41d46d111a047d83e98c8ffe94453e5e92448f8d518df1393fb57f1328ba67860e7e3e480769b87aad60b54606b329a968f4c5307bcfcd8730ad71ff931a
-
MD5
eded2be5eedcf7eeacce37bca2852326
SHA1d150c574999217c3e4bcfcbd2e22fe7a5089ce70
SHA25614de0262f819c065cea9fb98b61f5bae54513a62c8cf78b4bbc434a772b16b43
SHA512e2ad41d46d111a047d83e98c8ffe94453e5e92448f8d518df1393fb57f1328ba67860e7e3e480769b87aad60b54606b329a968f4c5307bcfcd8730ad71ff931a