Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:38
Static task
static1
Behavioral task
behavioral1
Sample
17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe
Resource
win10v2004-en-20220113
General
-
Target
17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe
-
Size
152KB
-
MD5
d27d21b9c8c236be792c63a0e61998a7
-
SHA1
38f8df18d1e17677d33f61e0cde07500b81ece80
-
SHA256
17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601
-
SHA512
5bf62760a816e2af58b8e69a33f47471d6e7afc39744942cc50da35ad60401245d3441c84220595560e4a52d767704ba7093d735d40392630dec57a1a834cd83
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3720 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4348 svchost.exe Token: SeCreatePagefilePrivilege 4348 svchost.exe Token: SeShutdownPrivilege 4348 svchost.exe Token: SeCreatePagefilePrivilege 4348 svchost.exe Token: SeShutdownPrivilege 4348 svchost.exe Token: SeCreatePagefilePrivilege 4348 svchost.exe Token: SeIncBasePriorityPrivilege 4172 17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe Token: SeBackupPrivilege 4948 TiWorker.exe Token: SeRestorePrivilege 4948 TiWorker.exe Token: SeSecurityPrivilege 4948 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.execmd.exedescription pid process target process PID 4172 wrote to memory of 3720 4172 17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe MediaCenter.exe PID 4172 wrote to memory of 3720 4172 17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe MediaCenter.exe PID 4172 wrote to memory of 3720 4172 17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe MediaCenter.exe PID 4172 wrote to memory of 224 4172 17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe cmd.exe PID 4172 wrote to memory of 224 4172 17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe cmd.exe PID 4172 wrote to memory of 224 4172 17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe cmd.exe PID 224 wrote to memory of 2132 224 cmd.exe PING.EXE PID 224 wrote to memory of 2132 224 cmd.exe PING.EXE PID 224 wrote to memory of 2132 224 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe"C:\Users\Admin\AppData\Local\Temp\17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17147866e2eb992dfb419c23ed65dc8bf6f2f0743575ca3f4bfdb157d990a601.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
08fd9fc9df6fef6de680cedf6cbca8e4
SHA10f22493fe808da55436437ddc918b5cec9985539
SHA256a8986fc6eed62c467dd9ce2ea098a2e128beb1487a9c30a197f18de6876ba23a
SHA51235ae13dd97ad06604904564bb8ef214284d0889fbe8a8bd12ebce019a347bde6ef590be1bc6f69fba15a2a9a432276208b57319503aa9535e54bd866cb0aedf3
-
MD5
08fd9fc9df6fef6de680cedf6cbca8e4
SHA10f22493fe808da55436437ddc918b5cec9985539
SHA256a8986fc6eed62c467dd9ce2ea098a2e128beb1487a9c30a197f18de6876ba23a
SHA51235ae13dd97ad06604904564bb8ef214284d0889fbe8a8bd12ebce019a347bde6ef590be1bc6f69fba15a2a9a432276208b57319503aa9535e54bd866cb0aedf3