Analysis
-
max time kernel
147s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:28
Static task
static1
Behavioral task
behavioral1
Sample
0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe
Resource
win10v2004-en-20220113
General
-
Target
0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe
-
Size
101KB
-
MD5
e68751554bff4b0b15fcaf0be95c94d3
-
SHA1
eda9f34581a26dc9d071b7cc8d01b64dff9658a3
-
SHA256
0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b
-
SHA512
e2d7b6bee3cbb70dfd07124bd9c7edf23b364f1faf58d1b2f5f50c2f402a17c5e87b8510c4fce4f14a4264323058cf71d78d958bfebac1c5605490f52ce6fb25
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3636 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1276 0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe Token: SeShutdownPrivilege 444 svchost.exe Token: SeCreatePagefilePrivilege 444 svchost.exe Token: SeShutdownPrivilege 444 svchost.exe Token: SeCreatePagefilePrivilege 444 svchost.exe Token: SeShutdownPrivilege 444 svchost.exe Token: SeCreatePagefilePrivilege 444 svchost.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe Token: SeBackupPrivilege 1008 TiWorker.exe Token: SeRestorePrivilege 1008 TiWorker.exe Token: SeSecurityPrivilege 1008 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.execmd.exedescription pid process target process PID 1276 wrote to memory of 3636 1276 0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe MediaCenter.exe PID 1276 wrote to memory of 3636 1276 0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe MediaCenter.exe PID 1276 wrote to memory of 3636 1276 0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe MediaCenter.exe PID 1276 wrote to memory of 636 1276 0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe cmd.exe PID 1276 wrote to memory of 636 1276 0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe cmd.exe PID 1276 wrote to memory of 636 1276 0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe cmd.exe PID 636 wrote to memory of 1436 636 cmd.exe PING.EXE PID 636 wrote to memory of 1436 636 cmd.exe PING.EXE PID 636 wrote to memory of 1436 636 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe"C:\Users\Admin\AppData\Local\Temp\0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d85f5eb6f2708aa00be2bab7520f9b4db08177a81279bb5f7334930264b785b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:444
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
46ba4843c69bea10352d857ac52010e4
SHA1ae07ef82bf88cedcf0fc3fa42e4de8c814100382
SHA25638373276f7aad46a472993e609856b404a62f37a738bf2d7841b7654bd742cca
SHA51288036f226bf8310b202cf36cd94f37d47c4f2b6a9e7e6f5906b703981cdce340240b12f73609daa6fc3d59713e0dce611f0c8048997fa30ce1219840e892444e
-
MD5
46ba4843c69bea10352d857ac52010e4
SHA1ae07ef82bf88cedcf0fc3fa42e4de8c814100382
SHA25638373276f7aad46a472993e609856b404a62f37a738bf2d7841b7654bd742cca
SHA51288036f226bf8310b202cf36cd94f37d47c4f2b6a9e7e6f5906b703981cdce340240b12f73609daa6fc3d59713e0dce611f0c8048997fa30ce1219840e892444e