Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 02:49
Static task
static1
Behavioral task
behavioral1
Sample
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe
Resource
win10v2004-en-20220113
General
-
Target
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe
-
Size
99KB
-
MD5
098c2330b2b39304b37311b8103365e3
-
SHA1
00790acc9e7041c3d993b04394e9c35543538a8b
-
SHA256
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550
-
SHA512
0b0f21028a271906a42223fe611d5703ca5b44839f6851be6dfcd9c0e2f422779f9c56704bb87bed0109f675a56863ad5860d7ee819ecca5809fb79cd64917b4
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1780 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4328 svchost.exe Token: SeCreatePagefilePrivilege 4328 svchost.exe Token: SeShutdownPrivilege 4328 svchost.exe Token: SeCreatePagefilePrivilege 4328 svchost.exe Token: SeShutdownPrivilege 4328 svchost.exe Token: SeCreatePagefilePrivilege 4328 svchost.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe Token: SeRestorePrivilege 1596 TiWorker.exe Token: SeSecurityPrivilege 1596 TiWorker.exe Token: SeBackupPrivilege 1596 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.execmd.exedescription pid process target process PID 4688 wrote to memory of 1780 4688 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe MediaCenter.exe PID 4688 wrote to memory of 1780 4688 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe MediaCenter.exe PID 4688 wrote to memory of 1780 4688 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe MediaCenter.exe PID 4688 wrote to memory of 4684 4688 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe cmd.exe PID 4688 wrote to memory of 4684 4688 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe cmd.exe PID 4688 wrote to memory of 4684 4688 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe cmd.exe PID 4684 wrote to memory of 3528 4684 cmd.exe PING.EXE PID 4684 wrote to memory of 3528 4684 cmd.exe PING.EXE PID 4684 wrote to memory of 3528 4684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe"C:\Users\Admin\AppData\Local\Temp\196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1596
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2655e24d7552354a1817c2934f3ad047
SHA10d8aa0ea11c501ff8e8c9b90448a5a5aadd52849
SHA25671f078b664feba21cb61a2ea0cd4a9d58441e14e18f5fd9fc42080c044ef4286
SHA51269b9892f9e3a6542ce68b11d12fd77e7150ff25e7969cafd0139ef4f56c4fb928b601be358dae67dc1f24e2ee945e0074c09fe1877d0861b7a3ddf743b4a8000
-
MD5
2655e24d7552354a1817c2934f3ad047
SHA10d8aa0ea11c501ff8e8c9b90448a5a5aadd52849
SHA25671f078b664feba21cb61a2ea0cd4a9d58441e14e18f5fd9fc42080c044ef4286
SHA51269b9892f9e3a6542ce68b11d12fd77e7150ff25e7969cafd0139ef4f56c4fb928b601be358dae67dc1f24e2ee945e0074c09fe1877d0861b7a3ddf743b4a8000