Analysis
-
max time kernel
157s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:28
Static task
static1
Behavioral task
behavioral1
Sample
0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe
Resource
win10v2004-en-20220113
General
-
Target
0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe
-
Size
99KB
-
MD5
5d1c15e90754e64146c8795404770fb6
-
SHA1
e3767b712a8622c4854e7e35f397b64cbfdfe4d3
-
SHA256
0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8
-
SHA512
df39564d0cd2b287ad467aa1edd4a8f3c2dd04f66abe331349c3285d3c6c744c2c3712bef375dfeb032fd547095399aaea278a5154f5bb438c493c3fd49eae78
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3816 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exedescription pid process Token: SeShutdownPrivilege 1132 svchost.exe Token: SeCreatePagefilePrivilege 1132 svchost.exe Token: SeShutdownPrivilege 1132 svchost.exe Token: SeCreatePagefilePrivilege 1132 svchost.exe Token: SeShutdownPrivilege 1132 svchost.exe Token: SeCreatePagefilePrivilege 1132 svchost.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeIncBasePriorityPrivilege 2736 0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe Token: SeBackupPrivilege 4404 TiWorker.exe Token: SeRestorePrivilege 4404 TiWorker.exe Token: SeSecurityPrivilege 4404 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.execmd.exedescription pid process target process PID 2736 wrote to memory of 3816 2736 0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe MediaCenter.exe PID 2736 wrote to memory of 3816 2736 0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe MediaCenter.exe PID 2736 wrote to memory of 3816 2736 0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe MediaCenter.exe PID 2736 wrote to memory of 1756 2736 0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe cmd.exe PID 2736 wrote to memory of 1756 2736 0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe cmd.exe PID 2736 wrote to memory of 1756 2736 0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe cmd.exe PID 1756 wrote to memory of 2536 1756 cmd.exe PING.EXE PID 1756 wrote to memory of 2536 1756 cmd.exe PING.EXE PID 1756 wrote to memory of 2536 1756 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe"C:\Users\Admin\AppData\Local\Temp\0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4404
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
02d0fd0739ec1d8ab81159023c0f0b0b
SHA10a15e0814c8ae6f068aa398b872cc5d588afb60a
SHA256a4f2293e017fb2950b56dd9f941528651c1a468419aea66818344af4fd770534
SHA512654047f783c7ba662e3119aa36ef16f0a40174a668a323f1cd8e8a679b1b7f1eace1333ed8cb0267eb815d622f9db7bdc97e3989015a4167c97a6433466577a4
-
MD5
02d0fd0739ec1d8ab81159023c0f0b0b
SHA10a15e0814c8ae6f068aa398b872cc5d588afb60a
SHA256a4f2293e017fb2950b56dd9f941528651c1a468419aea66818344af4fd770534
SHA512654047f783c7ba662e3119aa36ef16f0a40174a668a323f1cd8e8a679b1b7f1eace1333ed8cb0267eb815d622f9db7bdc97e3989015a4167c97a6433466577a4