Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:23
Static task
static1
Behavioral task
behavioral1
Sample
0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe
Resource
win10v2004-en-20220113
General
-
Target
0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe
-
Size
150KB
-
MD5
7c06599c579fe8dffb581d5f50c84742
-
SHA1
4d9dd7ea1c7cf398de824a651d59c57c366a1ba2
-
SHA256
0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1
-
SHA512
7efdcad7e2ea43472939967dc30435cf5c652246c628fb4e8571f00673aa3b540bff15abb7e5314d16d618b04ef5e8beb938fb194c59bc9bbcbaefe10802ac3c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3336 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exedescription pid process Token: SeShutdownPrivilege 3724 svchost.exe Token: SeCreatePagefilePrivilege 3724 svchost.exe Token: SeShutdownPrivilege 3724 svchost.exe Token: SeCreatePagefilePrivilege 3724 svchost.exe Token: SeShutdownPrivilege 3724 svchost.exe Token: SeCreatePagefilePrivilege 3724 svchost.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeIncBasePriorityPrivilege 3808 0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe Token: SeBackupPrivilege 3908 TiWorker.exe Token: SeRestorePrivilege 3908 TiWorker.exe Token: SeSecurityPrivilege 3908 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.execmd.exedescription pid process target process PID 3808 wrote to memory of 3336 3808 0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe MediaCenter.exe PID 3808 wrote to memory of 3336 3808 0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe MediaCenter.exe PID 3808 wrote to memory of 3336 3808 0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe MediaCenter.exe PID 3808 wrote to memory of 1860 3808 0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe cmd.exe PID 3808 wrote to memory of 1860 3808 0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe cmd.exe PID 3808 wrote to memory of 1860 3808 0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe cmd.exe PID 1860 wrote to memory of 2988 1860 cmd.exe PING.EXE PID 1860 wrote to memory of 2988 1860 cmd.exe PING.EXE PID 1860 wrote to memory of 2988 1860 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe"C:\Users\Admin\AppData\Local\Temp\0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b2e57db56f5c927fc14bdd6cc0d5d59eff3ab25822d39179b4227ce944dd6b1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3908
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
83cd80f5cbc6569171c26aa52413e99e
SHA1224ad9f9599351e91bb3be12c6f0cdd46e60859d
SHA256e160710141d0ff47aad1f71e20bc5e5370aa8b25ebdf44795c9c559943352ed1
SHA51247557905c570809b862dc8645549025a891d40de339825441158144ec89efda538f51cf391d88267ac139c9ac64156715e394fa56443c2b7152f51a322056c31
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
83cd80f5cbc6569171c26aa52413e99e
SHA1224ad9f9599351e91bb3be12c6f0cdd46e60859d
SHA256e160710141d0ff47aad1f71e20bc5e5370aa8b25ebdf44795c9c559943352ed1
SHA51247557905c570809b862dc8645549025a891d40de339825441158144ec89efda538f51cf391d88267ac139c9ac64156715e394fa56443c2b7152f51a322056c31
-
memory/3724-132-0x000001C513FA0000-0x000001C513FB0000-memory.dmpFilesize
64KB
-
memory/3724-133-0x000001C514520000-0x000001C514530000-memory.dmpFilesize
64KB
-
memory/3724-134-0x000001C516C20000-0x000001C516C24000-memory.dmpFilesize
16KB