Analysis
-
max time kernel
146s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:09
Static task
static1
Behavioral task
behavioral1
Sample
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe
Resource
win10v2004-en-20220113
General
-
Target
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe
-
Size
80KB
-
MD5
df66d7ecf3c62064e19b2a71dd056719
-
SHA1
edbe6d5be26cb5d2401e162f0f5a097473525cde
-
SHA256
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1
-
SHA512
3f65438d9a609b37fc02d0beaee4e7a443fc4c29f0bc549a90baf6daa809e51aedab0cf7f2b47bd6abdc9c945e9556388f4c589ad01964eb0c45e9069031f60d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1428 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exedescription pid process Token: SeShutdownPrivilege 3200 svchost.exe Token: SeCreatePagefilePrivilege 3200 svchost.exe Token: SeShutdownPrivilege 3200 svchost.exe Token: SeCreatePagefilePrivilege 3200 svchost.exe Token: SeShutdownPrivilege 3200 svchost.exe Token: SeCreatePagefilePrivilege 3200 svchost.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeIncBasePriorityPrivilege 1240 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe Token: SeBackupPrivilege 752 TiWorker.exe Token: SeRestorePrivilege 752 TiWorker.exe Token: SeSecurityPrivilege 752 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.execmd.exedescription pid process target process PID 1240 wrote to memory of 1428 1240 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe MediaCenter.exe PID 1240 wrote to memory of 1428 1240 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe MediaCenter.exe PID 1240 wrote to memory of 1428 1240 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe MediaCenter.exe PID 1240 wrote to memory of 1564 1240 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe cmd.exe PID 1240 wrote to memory of 1564 1240 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe cmd.exe PID 1240 wrote to memory of 1564 1240 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe cmd.exe PID 1564 wrote to memory of 4168 1564 cmd.exe PING.EXE PID 1564 wrote to memory of 4168 1564 cmd.exe PING.EXE PID 1564 wrote to memory of 4168 1564 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe"C:\Users\Admin\AppData\Local\Temp\0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3200
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:752
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2a9cdcf7aedf39b984f05bc72be765a5
SHA1b2d342b62e2944faa13c9f1df88e6f270d151222
SHA2566e7f3aa80e647ec5930440c162cc5cba3fb98a6044562ef66e83eab36c182262
SHA512ce38d32a3407814bd5912347b72866a4f8bed77379c3681ad10f299d8c2902838964e00ebd6c895846ba1f6f1382ed57f10a34f94b7bdd87f09a76104fe6f0ce
-
MD5
2a9cdcf7aedf39b984f05bc72be765a5
SHA1b2d342b62e2944faa13c9f1df88e6f270d151222
SHA2566e7f3aa80e647ec5930440c162cc5cba3fb98a6044562ef66e83eab36c182262
SHA512ce38d32a3407814bd5912347b72866a4f8bed77379c3681ad10f299d8c2902838964e00ebd6c895846ba1f6f1382ed57f10a34f94b7bdd87f09a76104fe6f0ce