Analysis
-
max time kernel
141s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:31
Static task
static1
Behavioral task
behavioral1
Sample
176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe
Resource
win10v2004-en-20220113
General
-
Target
176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe
-
Size
100KB
-
MD5
3c5953fdfe3d91e4da0087deb0deb320
-
SHA1
6f79b0d622194cd4f4a777e06aa72d9c0382844f
-
SHA256
176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe
-
SHA512
28ff291228319aaa1607066ebdc7ca816114eeb0be2b248f979682360c2d5b1dd3194896bc3516969c159a3edc2b5f5510514e3e10e341a78b036f7f80e15b3f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2636 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3676 svchost.exe Token: SeCreatePagefilePrivilege 3676 svchost.exe Token: SeShutdownPrivilege 3676 svchost.exe Token: SeCreatePagefilePrivilege 3676 svchost.exe Token: SeShutdownPrivilege 3676 svchost.exe Token: SeCreatePagefilePrivilege 3676 svchost.exe Token: SeIncBasePriorityPrivilege 4864 176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.execmd.exedescription pid process target process PID 4864 wrote to memory of 2636 4864 176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe MediaCenter.exe PID 4864 wrote to memory of 2636 4864 176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe MediaCenter.exe PID 4864 wrote to memory of 2636 4864 176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe MediaCenter.exe PID 4864 wrote to memory of 2860 4864 176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe cmd.exe PID 4864 wrote to memory of 2860 4864 176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe cmd.exe PID 4864 wrote to memory of 2860 4864 176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe cmd.exe PID 2860 wrote to memory of 4980 2860 cmd.exe PING.EXE PID 2860 wrote to memory of 4980 2860 cmd.exe PING.EXE PID 2860 wrote to memory of 4980 2860 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe"C:\Users\Admin\AppData\Local\Temp\176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\176cb12ae151e140a521027d12d70ce6aa7e1b31d84f6d1c1cba8b3c5ec284fe.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5352c26493e42a448bd77a059f507849
SHA1a678f20d3a30fe66ca235b0950f5192cc126ee7f
SHA256a7232b9acc358b3b6fe3c9154feb2b4975cb1f38d5b608ef60aa65213fd6f350
SHA5129a89a824d8a7d56059af3d72d8deec39e8d906b9581d2109b0a512cc9777569ae14d8fc7577824fe1cecd90a3578d9436747467ff58e504edcb7a7e313dc689e
-
MD5
5352c26493e42a448bd77a059f507849
SHA1a678f20d3a30fe66ca235b0950f5192cc126ee7f
SHA256a7232b9acc358b3b6fe3c9154feb2b4975cb1f38d5b608ef60aa65213fd6f350
SHA5129a89a824d8a7d56059af3d72d8deec39e8d906b9581d2109b0a512cc9777569ae14d8fc7577824fe1cecd90a3578d9436747467ff58e504edcb7a7e313dc689e