Analysis
-
max time kernel
153s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:45
Static task
static1
Behavioral task
behavioral1
Sample
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe
Resource
win10v2004-en-20220113
General
-
Target
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe
-
Size
192KB
-
MD5
e719906766439550d92fc92cefb2b4c4
-
SHA1
c72be3b2ddf9b5fe10c25f81d460000cc9eed734
-
SHA256
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27
-
SHA512
472a6355f8b641c8f568dd65414f1735181a42c51d82d1c977e0f3e75a81dd31d806403d2244c2212093af7e250ee1e59d1211f856b6c36c661faa08d78c34f3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1240 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2684 svchost.exe Token: SeCreatePagefilePrivilege 2684 svchost.exe Token: SeShutdownPrivilege 2684 svchost.exe Token: SeCreatePagefilePrivilege 2684 svchost.exe Token: SeShutdownPrivilege 2684 svchost.exe Token: SeCreatePagefilePrivilege 2684 svchost.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe Token: SeRestorePrivilege 32 TiWorker.exe Token: SeSecurityPrivilege 32 TiWorker.exe Token: SeBackupPrivilege 32 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.execmd.exedescription pid process target process PID 396 wrote to memory of 1240 396 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe MediaCenter.exe PID 396 wrote to memory of 1240 396 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe MediaCenter.exe PID 396 wrote to memory of 1240 396 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe MediaCenter.exe PID 396 wrote to memory of 4488 396 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe cmd.exe PID 396 wrote to memory of 4488 396 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe cmd.exe PID 396 wrote to memory of 4488 396 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe cmd.exe PID 4488 wrote to memory of 4884 4488 cmd.exe PING.EXE PID 4488 wrote to memory of 4884 4488 cmd.exe PING.EXE PID 4488 wrote to memory of 4884 4488 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe"C:\Users\Admin\AppData\Local\Temp\1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:32
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a7c3b9082112477a41eb6f1176310e8f
SHA1a7be4d301f2ffc62b310a5ea35d2bd6bd318f6d5
SHA256397cb84e643b41d2d19009fad46dd1e8d4e3cd51fab45250d901f48eceb0de04
SHA512eac60b91291b8718959354f8d8d07cd1e63422c8fec24ac93cf1b84c496bef435782fe5875d4c5490ee6825dd97b14ea8dfeec0e52f5b62228fbb8eba37f73af
-
MD5
a7c3b9082112477a41eb6f1176310e8f
SHA1a7be4d301f2ffc62b310a5ea35d2bd6bd318f6d5
SHA256397cb84e643b41d2d19009fad46dd1e8d4e3cd51fab45250d901f48eceb0de04
SHA512eac60b91291b8718959354f8d8d07cd1e63422c8fec24ac93cf1b84c496bef435782fe5875d4c5490ee6825dd97b14ea8dfeec0e52f5b62228fbb8eba37f73af