Analysis
-
max time kernel
128s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:42
Static task
static1
Behavioral task
behavioral1
Sample
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe
Resource
win10v2004-en-20220113
General
-
Target
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe
-
Size
99KB
-
MD5
3c3dcbe3e3cb8b23205316e3d65a2240
-
SHA1
27d346d38865c766b3b93a00271cb65341c9cee7
-
SHA256
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091
-
SHA512
e118e034c95718a1b886f70947bbf75ab51e5e3a70a76c44c596d084252b80e075a3f50fd473418e0f85604bcb8b4f12a8ad951afdd0347854722007c57cdeed
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4708 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exedescription pid process Token: SeShutdownPrivilege 2552 svchost.exe Token: SeCreatePagefilePrivilege 2552 svchost.exe Token: SeShutdownPrivilege 2552 svchost.exe Token: SeCreatePagefilePrivilege 2552 svchost.exe Token: SeShutdownPrivilege 2552 svchost.exe Token: SeCreatePagefilePrivilege 2552 svchost.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeIncBasePriorityPrivilege 4524 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.execmd.exedescription pid process target process PID 4524 wrote to memory of 4708 4524 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe MediaCenter.exe PID 4524 wrote to memory of 4708 4524 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe MediaCenter.exe PID 4524 wrote to memory of 4708 4524 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe MediaCenter.exe PID 4524 wrote to memory of 1032 4524 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe cmd.exe PID 4524 wrote to memory of 1032 4524 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe cmd.exe PID 4524 wrote to memory of 1032 4524 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe cmd.exe PID 1032 wrote to memory of 2488 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 2488 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 2488 1032 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe"C:\Users\Admin\AppData\Local\Temp\0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2588
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
160e81cc5fd2bcb559e9fcf4c86417b1
SHA1f52aec37d9139047e9f0adf7ce5622ace3cec84c
SHA256b78dd68dbb788d3f14b484202528ed33e5572adafac90c14cc2c7922d8bf1d69
SHA5122913890df63cc003c8aa480a233089168fa0567b6a314d49c4a68e15ce4e22a0f0ba4cee33fb10fa6b35cd8a9735c6252e804af56d4e43b7b2ea44e9b0cdff6c
-
MD5
160e81cc5fd2bcb559e9fcf4c86417b1
SHA1f52aec37d9139047e9f0adf7ce5622ace3cec84c
SHA256b78dd68dbb788d3f14b484202528ed33e5572adafac90c14cc2c7922d8bf1d69
SHA5122913890df63cc003c8aa480a233089168fa0567b6a314d49c4a68e15ce4e22a0f0ba4cee33fb10fa6b35cd8a9735c6252e804af56d4e43b7b2ea44e9b0cdff6c