Analysis
-
max time kernel
142s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:03
Static task
static1
Behavioral task
behavioral1
Sample
0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe
Resource
win10v2004-en-20220113
General
-
Target
0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe
-
Size
80KB
-
MD5
539b88975e08ebb23fc3e38d2a748bcf
-
SHA1
592e04fed97a048ba8cf613cfb1864b291a0f804
-
SHA256
0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de
-
SHA512
33246d5cb06e67fdb438e03fabecb6dea7662698a2aad6f1efb2030cf472541cfcb8c95d9fa988079424c46cb7e9b82d8d70eb7790470d90b0d253d056e85176
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2304 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exedescription pid process Token: SeShutdownPrivilege 1528 svchost.exe Token: SeCreatePagefilePrivilege 1528 svchost.exe Token: SeShutdownPrivilege 1528 svchost.exe Token: SeCreatePagefilePrivilege 1528 svchost.exe Token: SeShutdownPrivilege 1528 svchost.exe Token: SeCreatePagefilePrivilege 1528 svchost.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeIncBasePriorityPrivilege 2764 0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe Token: SeBackupPrivilege 3728 TiWorker.exe Token: SeRestorePrivilege 3728 TiWorker.exe Token: SeSecurityPrivilege 3728 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.execmd.exedescription pid process target process PID 2764 wrote to memory of 2304 2764 0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe MediaCenter.exe PID 2764 wrote to memory of 2304 2764 0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe MediaCenter.exe PID 2764 wrote to memory of 2304 2764 0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe MediaCenter.exe PID 2764 wrote to memory of 1928 2764 0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe cmd.exe PID 2764 wrote to memory of 1928 2764 0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe cmd.exe PID 2764 wrote to memory of 1928 2764 0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe cmd.exe PID 1928 wrote to memory of 892 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 892 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 892 1928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe"C:\Users\Admin\AppData\Local\Temp\0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bd466ebaa0b76339c8dc6667c7d48d41ec117fe5957cbc3f1cb43257e5169de.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3728
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b2e9ba283613473195c41ad91ca199bb
SHA18423e56bf07bfe1e47c3196aacb4024511fd7f21
SHA256ee3200bcb6f7d80c0a663fa47507ad4504033e265799c448b2332bbeca30d1b7
SHA5121175b0080d2e04995155228eac324043c666592c52874ac51d492ab6d05d43e36ba7caf5049c965a2921feb86d0c777c1f482efd0930644c18e25cab919cb491
-
MD5
b2e9ba283613473195c41ad91ca199bb
SHA18423e56bf07bfe1e47c3196aacb4024511fd7f21
SHA256ee3200bcb6f7d80c0a663fa47507ad4504033e265799c448b2332bbeca30d1b7
SHA5121175b0080d2e04995155228eac324043c666592c52874ac51d492ab6d05d43e36ba7caf5049c965a2921feb86d0c777c1f482efd0930644c18e25cab919cb491