Analysis
-
max time kernel
149s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:30
Static task
static1
Behavioral task
behavioral1
Sample
0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exe
Resource
win10v2004-en-20220113
General
-
Target
0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exe
-
Size
100KB
-
MD5
8988c6833c3d10c684e5f2da01f815b1
-
SHA1
d2033daf45fb0decc8cc43b8cb4308077a6b249a
-
SHA256
0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41
-
SHA512
0652da056e52ed793a2ecd916d433705015c9915f9848fb07884a50fb5e7c89599072ca083720c3305c01b0db1186bcf651680cd4cbdb2d82d3f1ab90cb3e5fc
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1484 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1420 svchost.exe Token: SeCreatePagefilePrivilege 1420 svchost.exe Token: SeShutdownPrivilege 1420 svchost.exe Token: SeCreatePagefilePrivilege 1420 svchost.exe Token: SeShutdownPrivilege 1420 svchost.exe Token: SeCreatePagefilePrivilege 1420 svchost.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe Token: SeRestorePrivilege 636 TiWorker.exe Token: SeSecurityPrivilege 636 TiWorker.exe Token: SeBackupPrivilege 636 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.execmd.exedescription pid process target process PID 460 wrote to memory of 1484 460 0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exe MediaCenter.exe PID 460 wrote to memory of 1484 460 0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exe MediaCenter.exe PID 460 wrote to memory of 1484 460 0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exe MediaCenter.exe PID 460 wrote to memory of 4164 460 0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exe cmd.exe PID 460 wrote to memory of 4164 460 0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exe cmd.exe PID 460 wrote to memory of 4164 460 0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exe cmd.exe PID 4164 wrote to memory of 1440 4164 cmd.exe PING.EXE PID 4164 wrote to memory of 1440 4164 cmd.exe PING.EXE PID 4164 wrote to memory of 1440 4164 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exe"C:\Users\Admin\AppData\Local\Temp\0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d5cdfd58cd82aa5b545407cacc7998bfd59c2cbbac98e2acdae36d561cc0c41.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ce6b781167e33553aaac035b8476f928
SHA1c2a960a09635124f7a49bb90b0377a8282c67a63
SHA256fa617cb23c244b53dbc94b5a36b027dafc7c6dca28705845cf16fd5b2f6ae740
SHA512041d672866533723a08319a799ec1235875d15cda5727badc93ab53bf3046ec045d416507e20300d24503005e0bfbca98c44b1130fdc36d85d8590632be08d82
-
MD5
ce6b781167e33553aaac035b8476f928
SHA1c2a960a09635124f7a49bb90b0377a8282c67a63
SHA256fa617cb23c244b53dbc94b5a36b027dafc7c6dca28705845cf16fd5b2f6ae740
SHA512041d672866533723a08319a799ec1235875d15cda5727badc93ab53bf3046ec045d416507e20300d24503005e0bfbca98c44b1130fdc36d85d8590632be08d82