Analysis
-
max time kernel
135s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:46
Static task
static1
Behavioral task
behavioral1
Sample
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe
Resource
win10v2004-en-20220113
General
-
Target
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe
-
Size
80KB
-
MD5
26f144345fcc6bcfbff07e373dade235
-
SHA1
4ddde141091b8b401a8ddf8805b3022325537f1c
-
SHA256
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2
-
SHA512
b69f4e121260f00374353ef15bd0fd08905f714a705361b0449e38a018322243e8b1122e4e8dfb088e3c7c2af035e638dfb8ad42d62e5913c2ea3cbe35d555d7
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 396 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4388 svchost.exe Token: SeCreatePagefilePrivilege 4388 svchost.exe Token: SeShutdownPrivilege 4388 svchost.exe Token: SeCreatePagefilePrivilege 4388 svchost.exe Token: SeShutdownPrivilege 4388 svchost.exe Token: SeCreatePagefilePrivilege 4388 svchost.exe Token: SeIncBasePriorityPrivilege 3376 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe Token: SeBackupPrivilege 4068 TiWorker.exe Token: SeRestorePrivilege 4068 TiWorker.exe Token: SeSecurityPrivilege 4068 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.execmd.exedescription pid process target process PID 3376 wrote to memory of 396 3376 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe MediaCenter.exe PID 3376 wrote to memory of 396 3376 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe MediaCenter.exe PID 3376 wrote to memory of 396 3376 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe MediaCenter.exe PID 3376 wrote to memory of 3132 3376 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe cmd.exe PID 3376 wrote to memory of 3132 3376 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe cmd.exe PID 3376 wrote to memory of 3132 3376 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe cmd.exe PID 3132 wrote to memory of 3520 3132 cmd.exe PING.EXE PID 3132 wrote to memory of 3520 3132 cmd.exe PING.EXE PID 3132 wrote to memory of 3520 3132 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe"C:\Users\Admin\AppData\Local\Temp\0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
13c12beb9f866e8d16c04d8055a7261e
SHA1fb32c0d6980b1114acd94be033b876ccc7db77e9
SHA25654fb5c6c5b3052b6b498cd459e71ae32827ef60ac8365b442c3accd78de232dd
SHA5122d97844f8b8e12e7cfdd31978ef077663dd6422c654cf768116d77e961b776a85363ad423d0bdde12b58ed6a63fd98bab36c832aa5d0421a3fa9456459b8d7ad
-
MD5
13c12beb9f866e8d16c04d8055a7261e
SHA1fb32c0d6980b1114acd94be033b876ccc7db77e9
SHA25654fb5c6c5b3052b6b498cd459e71ae32827ef60ac8365b442c3accd78de232dd
SHA5122d97844f8b8e12e7cfdd31978ef077663dd6422c654cf768116d77e961b776a85363ad423d0bdde12b58ed6a63fd98bab36c832aa5d0421a3fa9456459b8d7ad