Analysis
-
max time kernel
150s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:43
Static task
static1
Behavioral task
behavioral1
Sample
16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe
Resource
win10v2004-en-20220113
General
-
Target
16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe
-
Size
101KB
-
MD5
95f3e2a13f2a70197810ac1ef4665678
-
SHA1
f72ceab93969ef9dbc070875d4d2746d87eded11
-
SHA256
16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801
-
SHA512
8cd460e2c75f49bc870a3041d7afc19bd84b5f3d76fba9e610f5ca1cd9c6016d0d76897d42e6f83f21260fca4a5c99e296f45aecd0ee547e8edecf4214056b17
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4420 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4996 svchost.exe Token: SeCreatePagefilePrivilege 4996 svchost.exe Token: SeShutdownPrivilege 4996 svchost.exe Token: SeCreatePagefilePrivilege 4996 svchost.exe Token: SeShutdownPrivilege 4996 svchost.exe Token: SeCreatePagefilePrivilege 4996 svchost.exe Token: SeIncBasePriorityPrivilege 684 16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe Token: SeBackupPrivilege 4532 TiWorker.exe Token: SeRestorePrivilege 4532 TiWorker.exe Token: SeSecurityPrivilege 4532 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.execmd.exedescription pid process target process PID 684 wrote to memory of 4420 684 16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe MediaCenter.exe PID 684 wrote to memory of 4420 684 16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe MediaCenter.exe PID 684 wrote to memory of 4420 684 16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe MediaCenter.exe PID 684 wrote to memory of 4608 684 16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe cmd.exe PID 684 wrote to memory of 4608 684 16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe cmd.exe PID 684 wrote to memory of 4608 684 16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe cmd.exe PID 4608 wrote to memory of 5060 4608 cmd.exe PING.EXE PID 4608 wrote to memory of 5060 4608 cmd.exe PING.EXE PID 4608 wrote to memory of 5060 4608 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe"C:\Users\Admin\AppData\Local\Temp\16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16eb538a72b038a5506091899b59e18bf0dc365069979d0eb852144d2b2b2801.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b86cc97f028939aea5a0faa82071230c
SHA15c192dc36589fce61d40fcada8c01e98b51b83bd
SHA2564ee697f634b142a4a20490fc5045a3a61a41acd9bdf488cfc5397f8db7644da1
SHA512e9b2980cf2c5615a1ccd84a9593e614669913e5bd32be5ed148e10c7c8e1d61363ddc48c1eba244c510d66c6d366563e8f45fbcd4dbba2e6792778baa89f8777
-
MD5
b86cc97f028939aea5a0faa82071230c
SHA15c192dc36589fce61d40fcada8c01e98b51b83bd
SHA2564ee697f634b142a4a20490fc5045a3a61a41acd9bdf488cfc5397f8db7644da1
SHA512e9b2980cf2c5615a1ccd84a9593e614669913e5bd32be5ed148e10c7c8e1d61363ddc48c1eba244c510d66c6d366563e8f45fbcd4dbba2e6792778baa89f8777