Analysis
-
max time kernel
157s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:56
Static task
static1
Behavioral task
behavioral1
Sample
166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe
Resource
win10v2004-en-20220113
General
-
Target
166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe
-
Size
99KB
-
MD5
36a220c06e4284bc08511de788efd127
-
SHA1
6343063700617c369ad1057303f4750cf8d58b62
-
SHA256
166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33
-
SHA512
14fbcf69b1dacc46482ce2df4e6a0d531718de2080f9ccf411c7a66f299152ce6e3a85f3bbdf4b0b51df531b125ad67a215e35c73e6b0d56d2426dcead766251
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1648 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exedescription pid process Token: SeShutdownPrivilege 4108 svchost.exe Token: SeCreatePagefilePrivilege 4108 svchost.exe Token: SeShutdownPrivilege 4108 svchost.exe Token: SeCreatePagefilePrivilege 4108 svchost.exe Token: SeShutdownPrivilege 4108 svchost.exe Token: SeCreatePagefilePrivilege 4108 svchost.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeIncBasePriorityPrivilege 1296 166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe Token: SeBackupPrivilege 1496 TiWorker.exe Token: SeRestorePrivilege 1496 TiWorker.exe Token: SeSecurityPrivilege 1496 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.execmd.exedescription pid process target process PID 1296 wrote to memory of 1648 1296 166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe MediaCenter.exe PID 1296 wrote to memory of 1648 1296 166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe MediaCenter.exe PID 1296 wrote to memory of 1648 1296 166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe MediaCenter.exe PID 1296 wrote to memory of 3560 1296 166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe cmd.exe PID 1296 wrote to memory of 3560 1296 166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe cmd.exe PID 1296 wrote to memory of 3560 1296 166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe cmd.exe PID 3560 wrote to memory of 3824 3560 cmd.exe PING.EXE PID 3560 wrote to memory of 3824 3560 cmd.exe PING.EXE PID 3560 wrote to memory of 3824 3560 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe"C:\Users\Admin\AppData\Local\Temp\166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\166804a91557ced3df5d91e79c35fef0a9ac9e713cfc3015f9b3ad5f3f9b1e33.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a583e779f1861013512a003c97051613
SHA11a08ae32b8a7abf31632cbb7c8b10d4448597622
SHA256fad1b12b8edcd65124ab27a285bea73c42ac16d19a1bf2a01a34aca88b02ab95
SHA51208064da9eca7e8ee60986a3a1606317754010c5888a86d522765cbd77e2c067bd8966d4e26e6c11530b3eefb08079e14d3819cdaec7e0314b3984a1569780a38
-
MD5
a583e779f1861013512a003c97051613
SHA11a08ae32b8a7abf31632cbb7c8b10d4448597622
SHA256fad1b12b8edcd65124ab27a285bea73c42ac16d19a1bf2a01a34aca88b02ab95
SHA51208064da9eca7e8ee60986a3a1606317754010c5888a86d522765cbd77e2c067bd8966d4e26e6c11530b3eefb08079e14d3819cdaec7e0314b3984a1569780a38