Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:36
Static task
static1
Behavioral task
behavioral1
Sample
172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe
Resource
win10v2004-en-20220113
General
-
Target
172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe
-
Size
191KB
-
MD5
25f558e59c64d3cc66a9c212eae07cf0
-
SHA1
9db3e6f1788238f9a115fac923ffbe40d7b79265
-
SHA256
172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40
-
SHA512
d7f21c96b76628be72128657f0ce0f536923086e51c6c5834c2c0cf9398a7892ec42981c7cf9c3cd344d0b3480aee6701d07b62ab338b854c42dc7be1e60b371
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1464 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1724 svchost.exe Token: SeCreatePagefilePrivilege 1724 svchost.exe Token: SeShutdownPrivilege 1724 svchost.exe Token: SeCreatePagefilePrivilege 1724 svchost.exe Token: SeShutdownPrivilege 1724 svchost.exe Token: SeCreatePagefilePrivilege 1724 svchost.exe Token: SeIncBasePriorityPrivilege 4736 172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe Token: SeBackupPrivilege 4448 TiWorker.exe Token: SeRestorePrivilege 4448 TiWorker.exe Token: SeSecurityPrivilege 4448 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.execmd.exedescription pid process target process PID 4736 wrote to memory of 1464 4736 172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe MediaCenter.exe PID 4736 wrote to memory of 1464 4736 172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe MediaCenter.exe PID 4736 wrote to memory of 1464 4736 172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe MediaCenter.exe PID 4736 wrote to memory of 4700 4736 172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe cmd.exe PID 4736 wrote to memory of 4700 4736 172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe cmd.exe PID 4736 wrote to memory of 4700 4736 172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe cmd.exe PID 4700 wrote to memory of 3984 4700 cmd.exe PING.EXE PID 4700 wrote to memory of 3984 4700 cmd.exe PING.EXE PID 4700 wrote to memory of 3984 4700 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe"C:\Users\Admin\AppData\Local\Temp\172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\172e885af7d6219027d365551308ce5ba624769ad266ef99e354a48d049f4f40.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4448
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ff90b587b35c5e2144ab61a0c5e884c3
SHA12b54a2276dca7a0510c31d07e5a38cf1dd32f4b6
SHA256191afc8a1a1802b69f6c18119a4f59ece9f952764b274697cdd6db2e44372a64
SHA512ab5121b7cf8c91e0964c7d99d358005d64fcab915f22a38001dac00d30a64984cc201cbc076c1ff382466a1804bb994ad477d453e42ded6fb8b0e540e1e846a4
-
MD5
ff90b587b35c5e2144ab61a0c5e884c3
SHA12b54a2276dca7a0510c31d07e5a38cf1dd32f4b6
SHA256191afc8a1a1802b69f6c18119a4f59ece9f952764b274697cdd6db2e44372a64
SHA512ab5121b7cf8c91e0964c7d99d358005d64fcab915f22a38001dac00d30a64984cc201cbc076c1ff382466a1804bb994ad477d453e42ded6fb8b0e540e1e846a4