Analysis
-
max time kernel
152s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:31
Static task
static1
Behavioral task
behavioral1
Sample
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe
Resource
win10v2004-en-20220113
General
-
Target
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe
-
Size
89KB
-
MD5
b4af6c589f78a3798c5d8db01e29b5e9
-
SHA1
5bf902599a1d23da28ab33afc9ad9aeab7a0df25
-
SHA256
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a
-
SHA512
e523eb5d871b834be35539bbf9056ea4e98f34dd30a2a40392ab144bf5391f80872a3e274ec5246140f09fecbaddb07f3355b1ff280c0aeb492031eb6faa515c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2128 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4064 svchost.exe Token: SeCreatePagefilePrivilege 4064 svchost.exe Token: SeShutdownPrivilege 4064 svchost.exe Token: SeCreatePagefilePrivilege 4064 svchost.exe Token: SeShutdownPrivilege 4064 svchost.exe Token: SeCreatePagefilePrivilege 4064 svchost.exe Token: SeIncBasePriorityPrivilege 2088 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe Token: SeBackupPrivilege 3484 TiWorker.exe Token: SeRestorePrivilege 3484 TiWorker.exe Token: SeSecurityPrivilege 3484 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.execmd.exedescription pid process target process PID 2088 wrote to memory of 2128 2088 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe MediaCenter.exe PID 2088 wrote to memory of 2128 2088 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe MediaCenter.exe PID 2088 wrote to memory of 2128 2088 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe MediaCenter.exe PID 2088 wrote to memory of 3404 2088 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe cmd.exe PID 2088 wrote to memory of 3404 2088 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe cmd.exe PID 2088 wrote to memory of 3404 2088 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe cmd.exe PID 3404 wrote to memory of 3048 3404 cmd.exe PING.EXE PID 3404 wrote to memory of 3048 3404 cmd.exe PING.EXE PID 3404 wrote to memory of 3048 3404 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe"C:\Users\Admin\AppData\Local\Temp\0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ceaef43be6dd8d06fb1ebb8df5fe3900
SHA196b91fd5ed85913886259f721e6bfb7c00aee2fb
SHA25675219f301410d4c4d4ccbe473c7b6fd19b918bb16891e8e7349e68f32f2f6ad2
SHA51272ad53f89e85e835d5be88a34cb055f53c962618aff5bcef2f15e57949e6dc346c03b9befe69ea2bf8f2c45216e0aef19993b49eb18e49c8819dcbd416d8812d
-
MD5
ceaef43be6dd8d06fb1ebb8df5fe3900
SHA196b91fd5ed85913886259f721e6bfb7c00aee2fb
SHA25675219f301410d4c4d4ccbe473c7b6fd19b918bb16891e8e7349e68f32f2f6ad2
SHA51272ad53f89e85e835d5be88a34cb055f53c962618aff5bcef2f15e57949e6dc346c03b9befe69ea2bf8f2c45216e0aef19993b49eb18e49c8819dcbd416d8812d