Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:55
Static task
static1
Behavioral task
behavioral1
Sample
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe
Resource
win10v2004-en-20220113
General
-
Target
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe
-
Size
104KB
-
MD5
dd5dacb591a48b6f79fbf7807bb47b2b
-
SHA1
186aafc52d9f9beb1caa7214283387cfe5776a09
-
SHA256
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143
-
SHA512
bb912e0c5eddaa871a07f24a2aa55cdf92b0ed3f805fecc8b038296da6c6fa7bc3f7c5c9f44cc91332f7240a20353ebc6af9b8015cfed1ba5344b2e2bc9c0565
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/448-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1292-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1292 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3144 svchost.exe Token: SeCreatePagefilePrivilege 3144 svchost.exe Token: SeShutdownPrivilege 3144 svchost.exe Token: SeCreatePagefilePrivilege 3144 svchost.exe Token: SeShutdownPrivilege 3144 svchost.exe Token: SeCreatePagefilePrivilege 3144 svchost.exe Token: SeIncBasePriorityPrivilege 448 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe Token: SeBackupPrivilege 2156 TiWorker.exe Token: SeRestorePrivilege 2156 TiWorker.exe Token: SeSecurityPrivilege 2156 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.execmd.exedescription pid process target process PID 448 wrote to memory of 1292 448 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe MediaCenter.exe PID 448 wrote to memory of 1292 448 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe MediaCenter.exe PID 448 wrote to memory of 1292 448 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe MediaCenter.exe PID 448 wrote to memory of 3520 448 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe cmd.exe PID 448 wrote to memory of 3520 448 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe cmd.exe PID 448 wrote to memory of 3520 448 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe cmd.exe PID 3520 wrote to memory of 4952 3520 cmd.exe PING.EXE PID 3520 wrote to memory of 4952 3520 cmd.exe PING.EXE PID 3520 wrote to memory of 4952 3520 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe"C:\Users\Admin\AppData\Local\Temp\0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2156
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
85e23056131bc20b7c372af406ec2592
SHA1baa72471b89438e8234f81c118420a44e141e156
SHA2569a875f43298aaec8f32dab9fd390b12f51d45a51258bc24503597e556ee9194a
SHA5127f07fb965248ff466260694b805ad6cf240b0cc5b257cc3e2ab2df644ede9efa0eb26d84cee9c16778698d9632cc4f7f6568544f3143d745310adf1f9758a190
-
MD5
85e23056131bc20b7c372af406ec2592
SHA1baa72471b89438e8234f81c118420a44e141e156
SHA2569a875f43298aaec8f32dab9fd390b12f51d45a51258bc24503597e556ee9194a
SHA5127f07fb965248ff466260694b805ad6cf240b0cc5b257cc3e2ab2df644ede9efa0eb26d84cee9c16778698d9632cc4f7f6568544f3143d745310adf1f9758a190