Analysis
-
max time kernel
128s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:31
Static task
static1
Behavioral task
behavioral1
Sample
0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe
Resource
win10v2004-en-20220113
General
-
Target
0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe
-
Size
99KB
-
MD5
5f604cb98af8e4c257c6e08a612d4355
-
SHA1
3934dd93b2e4df6d0aba8ea97786304a9d118da8
-
SHA256
0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b
-
SHA512
152e2f2c1dabe1b3ba953965a263baa43492f7b8a029fde5c40ef82711a8ab376b1d761b2731abe6ca0e7dbc7ef633d063bf7beb4310ea495927e2c293639272
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1272 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3060 svchost.exe Token: SeCreatePagefilePrivilege 3060 svchost.exe Token: SeShutdownPrivilege 3060 svchost.exe Token: SeCreatePagefilePrivilege 3060 svchost.exe Token: SeShutdownPrivilege 3060 svchost.exe Token: SeCreatePagefilePrivilege 3060 svchost.exe Token: SeIncBasePriorityPrivilege 4136 0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe Token: SeBackupPrivilege 944 TiWorker.exe Token: SeRestorePrivilege 944 TiWorker.exe Token: SeSecurityPrivilege 944 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.execmd.exedescription pid process target process PID 4136 wrote to memory of 1272 4136 0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe MediaCenter.exe PID 4136 wrote to memory of 1272 4136 0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe MediaCenter.exe PID 4136 wrote to memory of 1272 4136 0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe MediaCenter.exe PID 4136 wrote to memory of 2028 4136 0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe cmd.exe PID 4136 wrote to memory of 2028 4136 0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe cmd.exe PID 4136 wrote to memory of 2028 4136 0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe cmd.exe PID 2028 wrote to memory of 1408 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1408 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1408 2028 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe"C:\Users\Admin\AppData\Local\Temp\0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0af2e4480f631f6739ee429b0a1a4e1957138670021931303276e88d3bd7955b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f6d0c67248e1f09933f2f60f099e3ba8
SHA17cc21fa5c697cd09d1fb06d25d160800d4eb49fc
SHA256ec06314f15f2bbbfdfe17667cf517be5f7747d3cada3400066696b5250f3e8f2
SHA5128ea2daedf7b637c74188413dd59e96fc3aed376fee75dae47bb29a1f564263dbc1ecd36e07611199d908e6f33eb9d498bf71b487e9ee598d57b7d4a0914ccd92
-
MD5
f6d0c67248e1f09933f2f60f099e3ba8
SHA17cc21fa5c697cd09d1fb06d25d160800d4eb49fc
SHA256ec06314f15f2bbbfdfe17667cf517be5f7747d3cada3400066696b5250f3e8f2
SHA5128ea2daedf7b637c74188413dd59e96fc3aed376fee75dae47bb29a1f564263dbc1ecd36e07611199d908e6f33eb9d498bf71b487e9ee598d57b7d4a0914ccd92