Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:27
Static task
static1
Behavioral task
behavioral1
Sample
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe
Resource
win10v2004-en-20220113
General
-
Target
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe
-
Size
191KB
-
MD5
797c998b353456449c3b22fdf1b729cf
-
SHA1
0318ac93c2cb82cbd3ad36df8558c5aab282fb7b
-
SHA256
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d
-
SHA512
a2376c4d94197bc36e6a2323aa85eda92c7c8e4a0143c536fe9e6e036ba044b60b277b0dd65df65435944211c70e009e7c5860ad1f016551f5a883802470edb6
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3944 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1308 svchost.exe Token: SeCreatePagefilePrivilege 1308 svchost.exe Token: SeShutdownPrivilege 1308 svchost.exe Token: SeCreatePagefilePrivilege 1308 svchost.exe Token: SeShutdownPrivilege 1308 svchost.exe Token: SeCreatePagefilePrivilege 1308 svchost.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe Token: SeRestorePrivilege 3788 TiWorker.exe Token: SeSecurityPrivilege 3788 TiWorker.exe Token: SeBackupPrivilege 3788 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.execmd.exedescription pid process target process PID 2992 wrote to memory of 3944 2992 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe MediaCenter.exe PID 2992 wrote to memory of 3944 2992 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe MediaCenter.exe PID 2992 wrote to memory of 3944 2992 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe MediaCenter.exe PID 2992 wrote to memory of 3900 2992 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe cmd.exe PID 2992 wrote to memory of 3900 2992 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe cmd.exe PID 2992 wrote to memory of 3900 2992 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe cmd.exe PID 3900 wrote to memory of 1056 3900 cmd.exe PING.EXE PID 3900 wrote to memory of 1056 3900 cmd.exe PING.EXE PID 3900 wrote to memory of 1056 3900 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe"C:\Users\Admin\AppData\Local\Temp\179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
272779948bff690117a2a3f1bf84eff6
SHA1f990a43e20490a43cd238cd0d2861b0aa0b1b07d
SHA256f43b556f2f725bc6c42d79c01f2ed5777ccd0aa0d8e4efed13097b8d4af03d93
SHA51243a0d445779084099e361cc33ac3b3e65908f28f5385301a97808017a93f274498b4f072bc85a561eafe3409cbf403b5494ec35de83469b07fdabb3de410ad05
-
MD5
272779948bff690117a2a3f1bf84eff6
SHA1f990a43e20490a43cd238cd0d2861b0aa0b1b07d
SHA256f43b556f2f725bc6c42d79c01f2ed5777ccd0aa0d8e4efed13097b8d4af03d93
SHA51243a0d445779084099e361cc33ac3b3e65908f28f5385301a97808017a93f274498b4f072bc85a561eafe3409cbf403b5494ec35de83469b07fdabb3de410ad05