Analysis
-
max time kernel
157s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:36
Static task
static1
Behavioral task
behavioral1
Sample
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe
Resource
win10v2004-en-20220113
General
-
Target
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe
-
Size
99KB
-
MD5
b33ceb1ff46243065a515eb902b85e69
-
SHA1
a70a7a54f83cf4fc261ec62e918f01ccf23ccf22
-
SHA256
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6
-
SHA512
ab106a381912a50642609241bfbd5909bcd4b4d7a43021cf981e0af9f25bf0601d987bee1896d87ddeaf9521cc66320c8ebc7be5df5a6ff0110be24baf83a813
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1544 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 1576 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe Token: SeShutdownPrivilege 5060 svchost.exe Token: SeCreatePagefilePrivilege 5060 svchost.exe Token: SeShutdownPrivilege 5060 svchost.exe Token: SeCreatePagefilePrivilege 5060 svchost.exe Token: SeShutdownPrivilege 5060 svchost.exe Token: SeCreatePagefilePrivilege 5060 svchost.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe Token: SeBackupPrivilege 2460 TiWorker.exe Token: SeRestorePrivilege 2460 TiWorker.exe Token: SeSecurityPrivilege 2460 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.execmd.exedescription pid process target process PID 1576 wrote to memory of 1544 1576 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe MediaCenter.exe PID 1576 wrote to memory of 1544 1576 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe MediaCenter.exe PID 1576 wrote to memory of 1544 1576 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe MediaCenter.exe PID 1576 wrote to memory of 4244 1576 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe cmd.exe PID 1576 wrote to memory of 4244 1576 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe cmd.exe PID 1576 wrote to memory of 4244 1576 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe cmd.exe PID 4244 wrote to memory of 908 4244 cmd.exe PING.EXE PID 4244 wrote to memory of 908 4244 cmd.exe PING.EXE PID 4244 wrote to memory of 908 4244 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe"C:\Users\Admin\AppData\Local\Temp\0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
deaa2a2da310088d59c127fd7cd5547f
SHA1b35544bec5ef29d4bfa3a9da03ae14e34ba50e7e
SHA2569e214ce71cf4af6ac6bc12dcac8851c5bbebe1d92c745813288f479857b54501
SHA5124d3d82b07c6904b3afc28a9065271bcc16f0d82b8ef7ce59fd9083aacc44fb1469e7302fcfb1c816cd7f83a429a0a458c56cbf35b70930d89f297dff17ba4676
-
MD5
deaa2a2da310088d59c127fd7cd5547f
SHA1b35544bec5ef29d4bfa3a9da03ae14e34ba50e7e
SHA2569e214ce71cf4af6ac6bc12dcac8851c5bbebe1d92c745813288f479857b54501
SHA5124d3d82b07c6904b3afc28a9065271bcc16f0d82b8ef7ce59fd9083aacc44fb1469e7302fcfb1c816cd7f83a429a0a458c56cbf35b70930d89f297dff17ba4676