Analysis
-
max time kernel
128s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:21
Static task
static1
Behavioral task
behavioral1
Sample
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe
Resource
win10v2004-en-20220113
General
-
Target
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe
-
Size
192KB
-
MD5
afb2579aff74db141ded5ead3fa20e66
-
SHA1
3ca2e7e640630426d5c413fb8a96fb0687b0c6b5
-
SHA256
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5
-
SHA512
bb83efb60f6ecf8d5c2544c7961ae546226b2ff5742671524df908d65fee75d58fbfe8aed23bf68efb8d30c4a49560c7fb694ccb26bb24ef85eacafb40776d99
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3548 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3648 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe Token: SeShutdownPrivilege 1680 svchost.exe Token: SeCreatePagefilePrivilege 1680 svchost.exe Token: SeShutdownPrivilege 1680 svchost.exe Token: SeCreatePagefilePrivilege 1680 svchost.exe Token: SeShutdownPrivilege 1680 svchost.exe Token: SeCreatePagefilePrivilege 1680 svchost.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe Token: SeBackupPrivilege 3972 TiWorker.exe Token: SeRestorePrivilege 3972 TiWorker.exe Token: SeSecurityPrivilege 3972 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.execmd.exedescription pid process target process PID 3648 wrote to memory of 3548 3648 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe MediaCenter.exe PID 3648 wrote to memory of 3548 3648 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe MediaCenter.exe PID 3648 wrote to memory of 3548 3648 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe MediaCenter.exe PID 3648 wrote to memory of 1056 3648 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe cmd.exe PID 3648 wrote to memory of 1056 3648 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe cmd.exe PID 3648 wrote to memory of 1056 3648 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe cmd.exe PID 1056 wrote to memory of 4520 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 4520 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 4520 1056 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe"C:\Users\Admin\AppData\Local\Temp\15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c2debc5b86ec9618a967ae6bc71e189e
SHA17ea87ac704c4ec075b1b3158dca18e01cc2aadc8
SHA25664d9d7e18a6fccee240e1e5f2af3cc4b0f4cd32032b9f5075c7d2820fbeb385d
SHA51205ebd0c045daeffe1fdecc89e4f23d57ebe9cab03c83816d893ef42335d06b860ada4f08716673ef5c069ffbd239aeaa553a85a1cd7c43af5f4e5f77a6f6557b
-
MD5
c2debc5b86ec9618a967ae6bc71e189e
SHA17ea87ac704c4ec075b1b3158dca18e01cc2aadc8
SHA25664d9d7e18a6fccee240e1e5f2af3cc4b0f4cd32032b9f5075c7d2820fbeb385d
SHA51205ebd0c045daeffe1fdecc89e4f23d57ebe9cab03c83816d893ef42335d06b860ada4f08716673ef5c069ffbd239aeaa553a85a1cd7c43af5f4e5f77a6f6557b