Analysis
-
max time kernel
134s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:09
Static task
static1
Behavioral task
behavioral1
Sample
0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe
Resource
win10v2004-en-20220113
General
-
Target
0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe
-
Size
150KB
-
MD5
d5716cab1a497e5477eb12ebef1017ed
-
SHA1
0b0a3af8d3ee7531ce4a0db2680fcbcfcf53c1df
-
SHA256
0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973
-
SHA512
da4d1741e586ae03aaa2ba42266c59b337b0811a042f246fa119456295b8a9c88f17bb5cadbe845cec2c2c4ad9098699c974b48ed1603a1fc9513873d8c265fa
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2492 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 5024 svchost.exe Token: SeCreatePagefilePrivilege 5024 svchost.exe Token: SeShutdownPrivilege 5024 svchost.exe Token: SeCreatePagefilePrivilege 5024 svchost.exe Token: SeShutdownPrivilege 5024 svchost.exe Token: SeCreatePagefilePrivilege 5024 svchost.exe Token: SeIncBasePriorityPrivilege 1936 0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe Token: SeBackupPrivilege 2080 TiWorker.exe Token: SeRestorePrivilege 2080 TiWorker.exe Token: SeSecurityPrivilege 2080 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.execmd.exedescription pid process target process PID 1936 wrote to memory of 2492 1936 0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe MediaCenter.exe PID 1936 wrote to memory of 2492 1936 0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe MediaCenter.exe PID 1936 wrote to memory of 2492 1936 0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe MediaCenter.exe PID 1936 wrote to memory of 3208 1936 0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe cmd.exe PID 1936 wrote to memory of 3208 1936 0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe cmd.exe PID 1936 wrote to memory of 3208 1936 0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe cmd.exe PID 3208 wrote to memory of 1232 3208 cmd.exe PING.EXE PID 3208 wrote to memory of 1232 3208 cmd.exe PING.EXE PID 3208 wrote to memory of 1232 3208 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe"C:\Users\Admin\AppData\Local\Temp\0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b94efe7dd7ad2efd90c6e07f305542a24a558da4fa16f0ff0c6bb5d3a840973.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2080
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a10ba9ee1fe3ffce6a88b66e21230e67
SHA1d45e6e470b8d311d59ad11d76c0fd8f472823e5c
SHA256a6f534f81dcf77f3e3a02d0662152a662a60e335bdb6372af49747283113814e
SHA512ddf3d24f4e5b6f3725a71025f172f717932b370dc5e4e43828877ca90fe7bcb495c135d930cc62e850d0e48b947b6a6d47479729cd2f69bb9c76006c5296835d
-
MD5
a10ba9ee1fe3ffce6a88b66e21230e67
SHA1d45e6e470b8d311d59ad11d76c0fd8f472823e5c
SHA256a6f534f81dcf77f3e3a02d0662152a662a60e335bdb6372af49747283113814e
SHA512ddf3d24f4e5b6f3725a71025f172f717932b370dc5e4e43828877ca90fe7bcb495c135d930cc62e850d0e48b947b6a6d47479729cd2f69bb9c76006c5296835d