Analysis
-
max time kernel
161s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:02
Static task
static1
Behavioral task
behavioral1
Sample
0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe
Resource
win10v2004-en-20220113
General
-
Target
0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe
-
Size
92KB
-
MD5
0307cae555d7034ea983046a18c57ff4
-
SHA1
0e8fe5b70035f5d6f77efc4e392ea1d80d12dd02
-
SHA256
0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f
-
SHA512
4796973e86c3ffd1b9ce3b6fea0ff55219feeaf4234854e2bb389756eb437640b585e7b1be4b1011f018015a61edf2aa55be2ff772eba8cdab7fcfaee80d808d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1516 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4196 svchost.exe Token: SeCreatePagefilePrivilege 4196 svchost.exe Token: SeShutdownPrivilege 4196 svchost.exe Token: SeCreatePagefilePrivilege 4196 svchost.exe Token: SeShutdownPrivilege 4196 svchost.exe Token: SeCreatePagefilePrivilege 4196 svchost.exe Token: SeIncBasePriorityPrivilege 3944 0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe Token: SeBackupPrivilege 2532 TiWorker.exe Token: SeRestorePrivilege 2532 TiWorker.exe Token: SeSecurityPrivilege 2532 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.execmd.exedescription pid process target process PID 3944 wrote to memory of 1516 3944 0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe MediaCenter.exe PID 3944 wrote to memory of 1516 3944 0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe MediaCenter.exe PID 3944 wrote to memory of 1516 3944 0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe MediaCenter.exe PID 3944 wrote to memory of 4244 3944 0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe cmd.exe PID 3944 wrote to memory of 4244 3944 0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe cmd.exe PID 3944 wrote to memory of 4244 3944 0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe cmd.exe PID 4244 wrote to memory of 4364 4244 cmd.exe PING.EXE PID 4244 wrote to memory of 4364 4244 cmd.exe PING.EXE PID 4244 wrote to memory of 4364 4244 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe"C:\Users\Admin\AppData\Local\Temp\0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0be2224bd1165cc9feabee8c96b718462eee9382d2f51fd9a0d695278240665f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4364
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fe81dffd047e5d65ebb74917b6768abb
SHA148d0e2011a433811c8a29d5cc0799fa7f13ebee4
SHA2567d95116ea50dc534ed4c36bc455235f1028f80881d80ea67e8d9e100d05b2946
SHA512e52b97d921e3266fa29a9106cbb5cd875b3243ca421cf8a7886530654d609495220ee28417ae85f9eaaca0af29923da1882c1bf1abd86e8c310548968c1f6d53
-
MD5
fe81dffd047e5d65ebb74917b6768abb
SHA148d0e2011a433811c8a29d5cc0799fa7f13ebee4
SHA2567d95116ea50dc534ed4c36bc455235f1028f80881d80ea67e8d9e100d05b2946
SHA512e52b97d921e3266fa29a9106cbb5cd875b3243ca421cf8a7886530654d609495220ee28417ae85f9eaaca0af29923da1882c1bf1abd86e8c310548968c1f6d53