Analysis
-
max time kernel
154s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:05
Static task
static1
Behavioral task
behavioral1
Sample
0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe
Resource
win10v2004-en-20220113
General
-
Target
0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe
-
Size
89KB
-
MD5
d89311f1e717d9196c126c76a38007c5
-
SHA1
d0acfb3ce56048859e54118c72050b45ecd48bd9
-
SHA256
0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217
-
SHA512
1cbea62aaef5e612e605ed06d3228c06907102bd90949b04ed7b454736f4df7c10056ad843b6ddbffa535d4bcf0f960b4ab1c237f68794e6d6f76ea28924de39
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3632 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 2772 0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe Token: SeShutdownPrivilege 4088 svchost.exe Token: SeCreatePagefilePrivilege 4088 svchost.exe Token: SeShutdownPrivilege 4088 svchost.exe Token: SeCreatePagefilePrivilege 4088 svchost.exe Token: SeShutdownPrivilege 4088 svchost.exe Token: SeCreatePagefilePrivilege 4088 svchost.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe Token: SeBackupPrivilege 3412 TiWorker.exe Token: SeRestorePrivilege 3412 TiWorker.exe Token: SeSecurityPrivilege 3412 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.execmd.exedescription pid process target process PID 2772 wrote to memory of 3632 2772 0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe MediaCenter.exe PID 2772 wrote to memory of 3632 2772 0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe MediaCenter.exe PID 2772 wrote to memory of 3632 2772 0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe MediaCenter.exe PID 2772 wrote to memory of 2568 2772 0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe cmd.exe PID 2772 wrote to memory of 2568 2772 0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe cmd.exe PID 2772 wrote to memory of 2568 2772 0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe cmd.exe PID 2568 wrote to memory of 4080 2568 cmd.exe PING.EXE PID 2568 wrote to memory of 4080 2568 cmd.exe PING.EXE PID 2568 wrote to memory of 4080 2568 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe"C:\Users\Admin\AppData\Local\Temp\0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bbd3f58b4fe9bd25247851535552ee863eb4b70e3e548491002f0df65f3f217.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c40c47460a237e8950f5988aaa8e7a67
SHA1b6f246b245689395ef03ae6601b4d831062cb4a8
SHA256701b73872d95f2f45a02baf63c41079a2415eaecb4aef5c9555ee53cc042dd02
SHA51208de88357294aaded71474723637ee4a2b532e374ef04c77fcf8ffb895b57488aa541c88806114cbd1b0bc4e595d82c33643e6cb5adbd086f00e6463a545ad3e
-
MD5
c40c47460a237e8950f5988aaa8e7a67
SHA1b6f246b245689395ef03ae6601b4d831062cb4a8
SHA256701b73872d95f2f45a02baf63c41079a2415eaecb4aef5c9555ee53cc042dd02
SHA51208de88357294aaded71474723637ee4a2b532e374ef04c77fcf8ffb895b57488aa541c88806114cbd1b0bc4e595d82c33643e6cb5adbd086f00e6463a545ad3e