Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:29
Static task
static1
Behavioral task
behavioral1
Sample
0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exe
Resource
win10v2004-en-20220113
General
-
Target
0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exe
-
Size
92KB
-
MD5
6c837a2f15f140b0c51e250525e539e9
-
SHA1
d17720ac681f0200e55a00b8186d04e9f991d6d9
-
SHA256
0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae
-
SHA512
92a2516957e6c7aec77605288f2fd824b5bb042e1038ac48ea81b3c01d272ad300be8842fba98770be1494c8f4843b0566bd1277e70135b9cac30863f214c779
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 5000 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2584 svchost.exe Token: SeCreatePagefilePrivilege 2584 svchost.exe Token: SeShutdownPrivilege 2584 svchost.exe Token: SeCreatePagefilePrivilege 2584 svchost.exe Token: SeShutdownPrivilege 2584 svchost.exe Token: SeCreatePagefilePrivilege 2584 svchost.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe Token: SeRestorePrivilege 3316 TiWorker.exe Token: SeSecurityPrivilege 3316 TiWorker.exe Token: SeBackupPrivilege 3316 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.execmd.exedescription pid process target process PID 1284 wrote to memory of 5000 1284 0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exe MediaCenter.exe PID 1284 wrote to memory of 5000 1284 0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exe MediaCenter.exe PID 1284 wrote to memory of 5000 1284 0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exe MediaCenter.exe PID 1284 wrote to memory of 1292 1284 0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exe cmd.exe PID 1284 wrote to memory of 1292 1284 0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exe cmd.exe PID 1284 wrote to memory of 1292 1284 0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exe cmd.exe PID 1292 wrote to memory of 1488 1292 cmd.exe PING.EXE PID 1292 wrote to memory of 1488 1292 cmd.exe PING.EXE PID 1292 wrote to memory of 1488 1292 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exe"C:\Users\Admin\AppData\Local\Temp\0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d772057f4a730a3eba87812c68450e928aca2c837991e63bc07d842d3edddae.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3316
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
35b102d9be6c9b69c18cf521ad141412
SHA14f00aa6fa699c1a51649e0d04761c5c3e87c0a9f
SHA256f1f5f14d1986fa4de1e477da819c76d3cb3f1f6fac7e4ace368db142cda1ea61
SHA5122930a1cf062d729bfd84f513a834c731d9f779476bbf856e968f18247ae83d1ac5a2951d9c5707ed39f65114b13e90124928bda8085efb5de5972bc55251bbec
-
MD5
35b102d9be6c9b69c18cf521ad141412
SHA14f00aa6fa699c1a51649e0d04761c5c3e87c0a9f
SHA256f1f5f14d1986fa4de1e477da819c76d3cb3f1f6fac7e4ace368db142cda1ea61
SHA5122930a1cf062d729bfd84f513a834c731d9f779476bbf856e968f18247ae83d1ac5a2951d9c5707ed39f65114b13e90124928bda8085efb5de5972bc55251bbec