Analysis
-
max time kernel
148s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:38
Static task
static1
Behavioral task
behavioral1
Sample
0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exe
Resource
win10v2004-en-20220113
General
-
Target
0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exe
-
Size
80KB
-
MD5
c28d0a5478222fd665e69e10e4b97dbc
-
SHA1
9119f572523ac49a9d2a828872803178c3b0a061
-
SHA256
0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a
-
SHA512
4bf507d55b174c2eec5b23acafb81777137268d435a5a17821f5b412a77b9d88cd695f9b1d6d59e569a4b7698bc13380e427a6917b8e6b3e5f6379b57d0b6599
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3232 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3900 svchost.exe Token: SeCreatePagefilePrivilege 3900 svchost.exe Token: SeShutdownPrivilege 3900 svchost.exe Token: SeCreatePagefilePrivilege 3900 svchost.exe Token: SeShutdownPrivilege 3900 svchost.exe Token: SeCreatePagefilePrivilege 3900 svchost.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe Token: SeRestorePrivilege 756 TiWorker.exe Token: SeSecurityPrivilege 756 TiWorker.exe Token: SeBackupPrivilege 756 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.execmd.exedescription pid process target process PID 1940 wrote to memory of 3232 1940 0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exe MediaCenter.exe PID 1940 wrote to memory of 3232 1940 0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exe MediaCenter.exe PID 1940 wrote to memory of 3232 1940 0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exe MediaCenter.exe PID 1940 wrote to memory of 3164 1940 0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exe cmd.exe PID 1940 wrote to memory of 3164 1940 0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exe cmd.exe PID 1940 wrote to memory of 3164 1940 0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exe cmd.exe PID 3164 wrote to memory of 428 3164 cmd.exe PING.EXE PID 3164 wrote to memory of 428 3164 cmd.exe PING.EXE PID 3164 wrote to memory of 428 3164 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exe"C:\Users\Admin\AppData\Local\Temp\0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d112f74065ed451a00737f29e0bbc699b417a82136d2d9b808cdb87bf5afc2a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
496eee1b03414c8dd2c2dfc37c6b099b
SHA185f1fd1f3db20379fab6e1d6d62ce01d51dfa596
SHA25656a927357358c79d66d74ce2d00e28c624f52ada267c9e8c06a569d26b1f3b59
SHA512118337e1b3a014c5924dd632fe7bbbd60e7f3cfcc232a9c54b72bf33c50204048f6c1d3a2881d16690509533a44a34456a54b994f9a409f75958e2750d3782e2
-
MD5
496eee1b03414c8dd2c2dfc37c6b099b
SHA185f1fd1f3db20379fab6e1d6d62ce01d51dfa596
SHA25656a927357358c79d66d74ce2d00e28c624f52ada267c9e8c06a569d26b1f3b59
SHA512118337e1b3a014c5924dd632fe7bbbd60e7f3cfcc232a9c54b72bf33c50204048f6c1d3a2881d16690509533a44a34456a54b994f9a409f75958e2750d3782e2