Analysis
-
max time kernel
132s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:42
Static task
static1
Behavioral task
behavioral1
Sample
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe
Resource
win10v2004-en-20220113
General
-
Target
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe
-
Size
80KB
-
MD5
97286f1a9e13954775f6b27ef0751105
-
SHA1
4c5e00a132d33b3988945b973f34db5fb85ba6c0
-
SHA256
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18
-
SHA512
34ad7d8e6f01fc86ca8b902331c2eecb86646f58e5eddac7f250655faf94a6a5477e6c0232efcc779b27ce3147360243076cd04cf4fc8e931218019dd527bb19
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2380 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exedescription pid process Token: SeShutdownPrivilege 3336 svchost.exe Token: SeCreatePagefilePrivilege 3336 svchost.exe Token: SeShutdownPrivilege 3336 svchost.exe Token: SeCreatePagefilePrivilege 3336 svchost.exe Token: SeShutdownPrivilege 3336 svchost.exe Token: SeCreatePagefilePrivilege 3336 svchost.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeIncBasePriorityPrivilege 2352 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe Token: SeBackupPrivilege 400 TiWorker.exe Token: SeRestorePrivilege 400 TiWorker.exe Token: SeSecurityPrivilege 400 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.execmd.exedescription pid process target process PID 2352 wrote to memory of 2380 2352 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe MediaCenter.exe PID 2352 wrote to memory of 2380 2352 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe MediaCenter.exe PID 2352 wrote to memory of 2380 2352 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe MediaCenter.exe PID 2352 wrote to memory of 3280 2352 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe cmd.exe PID 2352 wrote to memory of 3280 2352 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe cmd.exe PID 2352 wrote to memory of 3280 2352 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe cmd.exe PID 3280 wrote to memory of 3332 3280 cmd.exe PING.EXE PID 3280 wrote to memory of 3332 3280 cmd.exe PING.EXE PID 3280 wrote to memory of 3332 3280 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe"C:\Users\Admin\AppData\Local\Temp\16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:400
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f1303c80466636b8789ee20e01775fb5
SHA1e862da4dba1a142fbea3ff34ea2670d0a18fcbe2
SHA256da10a7fb589e542ab811eeab83127b9817fdea8263579d3c960d84563903e84f
SHA51244fbe491d8b6956a39b6dd63dbbe449a3c5e390c65bb8396a67058d0afcb48adc98febdde489339d0cf889c550843aad1aeab4e2bd1db2845864a33154c0a88c
-
MD5
f1303c80466636b8789ee20e01775fb5
SHA1e862da4dba1a142fbea3ff34ea2670d0a18fcbe2
SHA256da10a7fb589e542ab811eeab83127b9817fdea8263579d3c960d84563903e84f
SHA51244fbe491d8b6956a39b6dd63dbbe449a3c5e390c65bb8396a67058d0afcb48adc98febdde489339d0cf889c550843aad1aeab4e2bd1db2845864a33154c0a88c