Analysis
-
max time kernel
155s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:41
Static task
static1
Behavioral task
behavioral1
Sample
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe
Resource
win10v2004-en-20220113
General
-
Target
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe
-
Size
92KB
-
MD5
0a83265c93b91a16c5c52c2845b11d6a
-
SHA1
e3c2de42c90ab1c192434b1bf70a30d1a7e5596e
-
SHA256
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134
-
SHA512
ef99f8b7dc2bf6c070ab5012ee389cd52342348a23537632e337dde54f114ce0d766e7d8406a0bd5a59ff627fcfece9258241608a286d949715a923153ed31c4
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1288 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1508 svchost.exe Token: SeCreatePagefilePrivilege 1508 svchost.exe Token: SeShutdownPrivilege 1508 svchost.exe Token: SeCreatePagefilePrivilege 1508 svchost.exe Token: SeShutdownPrivilege 1508 svchost.exe Token: SeCreatePagefilePrivilege 1508 svchost.exe Token: SeIncBasePriorityPrivilege 4808 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe Token: SeBackupPrivilege 2740 TiWorker.exe Token: SeRestorePrivilege 2740 TiWorker.exe Token: SeSecurityPrivilege 2740 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.execmd.exedescription pid process target process PID 4808 wrote to memory of 1288 4808 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe MediaCenter.exe PID 4808 wrote to memory of 1288 4808 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe MediaCenter.exe PID 4808 wrote to memory of 1288 4808 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe MediaCenter.exe PID 4808 wrote to memory of 4872 4808 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe cmd.exe PID 4808 wrote to memory of 4872 4808 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe cmd.exe PID 4808 wrote to memory of 4872 4808 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe cmd.exe PID 4872 wrote to memory of 5068 4872 cmd.exe PING.EXE PID 4872 wrote to memory of 5068 4872 cmd.exe PING.EXE PID 4872 wrote to memory of 5068 4872 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe"C:\Users\Admin\AppData\Local\Temp\16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
10e6419b33c602ba442e90f51acc0800
SHA15852deb130a6112e2a74ee2991ec2f4fcc802c02
SHA256d0ca3636fd797e879f166ce15eb34627dabe2c2c44d1768a2ad89618d346687a
SHA5123e2a193d93932fa7bb874f18524c0fc2c06457724dc5e3719bba0fe78d7ec7318c3efd5f606ec74328299a4320e7203dc6b392959797e19098044567a9f8adbb
-
MD5
10e6419b33c602ba442e90f51acc0800
SHA15852deb130a6112e2a74ee2991ec2f4fcc802c02
SHA256d0ca3636fd797e879f166ce15eb34627dabe2c2c44d1768a2ad89618d346687a
SHA5123e2a193d93932fa7bb874f18524c0fc2c06457724dc5e3719bba0fe78d7ec7318c3efd5f606ec74328299a4320e7203dc6b392959797e19098044567a9f8adbb