Analysis
-
max time kernel
157s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:04
Static task
static1
Behavioral task
behavioral1
Sample
0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe
Resource
win10v2004-en-20220113
General
-
Target
0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe
-
Size
99KB
-
MD5
b46e3ce63c60e15eda96f8b1cb70288f
-
SHA1
376673ce62850944d83ccc4712afe6fa8a5ef9b1
-
SHA256
0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c
-
SHA512
08dd900743a3443ac7fe9f233e18fffef93f001963ae330750adbf261670be06c19f39a1eaba02fef4db50af6505c48ade10c2ce278929e85bc0b9cd177ae0cc
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4692 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2936 svchost.exe Token: SeCreatePagefilePrivilege 2936 svchost.exe Token: SeShutdownPrivilege 2936 svchost.exe Token: SeCreatePagefilePrivilege 2936 svchost.exe Token: SeShutdownPrivilege 2936 svchost.exe Token: SeCreatePagefilePrivilege 2936 svchost.exe Token: SeIncBasePriorityPrivilege 3240 0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe Token: SeBackupPrivilege 4092 TiWorker.exe Token: SeRestorePrivilege 4092 TiWorker.exe Token: SeSecurityPrivilege 4092 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.execmd.exedescription pid process target process PID 3240 wrote to memory of 4692 3240 0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe MediaCenter.exe PID 3240 wrote to memory of 4692 3240 0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe MediaCenter.exe PID 3240 wrote to memory of 4692 3240 0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe MediaCenter.exe PID 3240 wrote to memory of 2720 3240 0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe cmd.exe PID 3240 wrote to memory of 2720 3240 0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe cmd.exe PID 3240 wrote to memory of 2720 3240 0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe cmd.exe PID 2720 wrote to memory of 1324 2720 cmd.exe PING.EXE PID 2720 wrote to memory of 1324 2720 cmd.exe PING.EXE PID 2720 wrote to memory of 1324 2720 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe"C:\Users\Admin\AppData\Local\Temp\0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bc2b8fc9763d25260f513f0aaa682f6de35f4618cae92f554c440ecc61a814c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9e90abe861ed1547eac1ddbcbced2204
SHA1c2b08516030225d9177b59ed301c3a410aad6e3a
SHA2568102c8993628347a4bf611c1abf100f224d7c53ca322ae2cb50bd29089f6291e
SHA5122db1c670329b0eabc36be452dd780db569f53f28c1f9a5f4ff14872a1cf76a891036ac619971684a8560566b2cf027e4a0537e4b7c6f744877c79d7efd9133ce
-
MD5
9e90abe861ed1547eac1ddbcbced2204
SHA1c2b08516030225d9177b59ed301c3a410aad6e3a
SHA2568102c8993628347a4bf611c1abf100f224d7c53ca322ae2cb50bd29089f6291e
SHA5122db1c670329b0eabc36be452dd780db569f53f28c1f9a5f4ff14872a1cf76a891036ac619971684a8560566b2cf027e4a0537e4b7c6f744877c79d7efd9133ce