Analysis
-
max time kernel
148s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:03
Static task
static1
Behavioral task
behavioral1
Sample
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe
Resource
win10v2004-en-20220113
General
-
Target
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe
-
Size
192KB
-
MD5
1fd1a74faaed8e6d5817b6326a293aa5
-
SHA1
e2b907a2c4332cd28b72326f58386abcc6489416
-
SHA256
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d
-
SHA512
6e6fd3e4088b97afdcb16868e7fb1984dcd8d3e8627d8836bef278b0cfc91ce14bd39166c23ad9c7f9d40ded1972a5d8763b4d5babb4c4e5a4cc0e0c4cff6eac
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 5056 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exedescription pid process Token: SeShutdownPrivilege 4404 svchost.exe Token: SeCreatePagefilePrivilege 4404 svchost.exe Token: SeShutdownPrivilege 4404 svchost.exe Token: SeCreatePagefilePrivilege 4404 svchost.exe Token: SeShutdownPrivilege 4404 svchost.exe Token: SeCreatePagefilePrivilege 4404 svchost.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeIncBasePriorityPrivilege 4132 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe Token: SeBackupPrivilege 2712 TiWorker.exe Token: SeRestorePrivilege 2712 TiWorker.exe Token: SeSecurityPrivilege 2712 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.execmd.exedescription pid process target process PID 4132 wrote to memory of 5056 4132 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe MediaCenter.exe PID 4132 wrote to memory of 5056 4132 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe MediaCenter.exe PID 4132 wrote to memory of 5056 4132 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe MediaCenter.exe PID 4132 wrote to memory of 2416 4132 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe cmd.exe PID 4132 wrote to memory of 2416 4132 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe cmd.exe PID 4132 wrote to memory of 2416 4132 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe cmd.exe PID 2416 wrote to memory of 4284 2416 cmd.exe PING.EXE PID 2416 wrote to memory of 4284 2416 cmd.exe PING.EXE PID 2416 wrote to memory of 4284 2416 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe"C:\Users\Admin\AppData\Local\Temp\0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f00d5b4f6a717f91b7060921acd22393
SHA1d06ed087441747a233bbc6cc02dd67f5069a203e
SHA256633bc131ec3b77f3b30cbd56554d33756a68302ed9df7e822847dc881a0eb077
SHA5120e48cc67b643321e751fa947975f753b3eb2f2f1d51e6b46c908f4e98b05f0830e9aae7821863a003a077bf3ace679d08c2d6f6f21010b3ca04882a53ea67fc6
-
MD5
f00d5b4f6a717f91b7060921acd22393
SHA1d06ed087441747a233bbc6cc02dd67f5069a203e
SHA256633bc131ec3b77f3b30cbd56554d33756a68302ed9df7e822847dc881a0eb077
SHA5120e48cc67b643321e751fa947975f753b3eb2f2f1d51e6b46c908f4e98b05f0830e9aae7821863a003a077bf3ace679d08c2d6f6f21010b3ca04882a53ea67fc6