Analysis
-
max time kernel
125s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:37
Static task
static1
Behavioral task
behavioral1
Sample
0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe
Resource
win10v2004-en-20220113
General
-
Target
0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe
-
Size
80KB
-
MD5
2c385d03911df3ef8cd4c6087059c5a7
-
SHA1
9b85cfdd9b3f8f0437265891b65ed85c85a9a65a
-
SHA256
0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d
-
SHA512
0b96b5171de902b364c4928f7fb153a1bf8fa97a3f24c9e3b5e93ede56fc10c29f56a49cb35d75fc3f4b259efbfb40ff30fd32d2a45108807b5a5aae42d35074
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4132 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 5076 svchost.exe Token: SeCreatePagefilePrivilege 5076 svchost.exe Token: SeShutdownPrivilege 5076 svchost.exe Token: SeCreatePagefilePrivilege 5076 svchost.exe Token: SeShutdownPrivilege 5076 svchost.exe Token: SeCreatePagefilePrivilege 5076 svchost.exe Token: SeIncBasePriorityPrivilege 1160 0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe Token: SeBackupPrivilege 1060 TiWorker.exe Token: SeRestorePrivilege 1060 TiWorker.exe Token: SeSecurityPrivilege 1060 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.execmd.exedescription pid process target process PID 1160 wrote to memory of 4132 1160 0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe MediaCenter.exe PID 1160 wrote to memory of 4132 1160 0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe MediaCenter.exe PID 1160 wrote to memory of 4132 1160 0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe MediaCenter.exe PID 1160 wrote to memory of 2024 1160 0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe cmd.exe PID 1160 wrote to memory of 2024 1160 0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe cmd.exe PID 1160 wrote to memory of 2024 1160 0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe cmd.exe PID 2024 wrote to memory of 4700 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 4700 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 4700 2024 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe"C:\Users\Admin\AppData\Local\Temp\0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d13ee09eda89e74c18d76519858e1404a2190393aba1117e54635b9f59f188d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
eb5957403510525016585d051891142c
SHA1230bbea49cb71fe4f6d5d30d6610293984fdbef7
SHA25647e0b0a65e7c49b5e3fef844eb4a84cca719056d8f37f8641ddcf9d781348de0
SHA512d6d7cad0a8afe3ff42c1e3c09708b139bfe7f91f11b42b79fd0a28b4e0ac643dad553fc2ada04decf6ade0acb6a03407c034809c44a5db75535b34ce382d16b7
-
MD5
eb5957403510525016585d051891142c
SHA1230bbea49cb71fe4f6d5d30d6610293984fdbef7
SHA25647e0b0a65e7c49b5e3fef844eb4a84cca719056d8f37f8641ddcf9d781348de0
SHA512d6d7cad0a8afe3ff42c1e3c09708b139bfe7f91f11b42b79fd0a28b4e0ac643dad553fc2ada04decf6ade0acb6a03407c034809c44a5db75535b34ce382d16b7