Analysis
-
max time kernel
139s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:45
Static task
static1
Behavioral task
behavioral1
Sample
16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe
Resource
win10v2004-en-20220113
General
-
Target
16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe
-
Size
216KB
-
MD5
14ee3cb56fda7c35536f9cdfef5a6ca2
-
SHA1
a378ff50cc4138c21d00ce94dcd50de466fd350f
-
SHA256
16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20
-
SHA512
c0c37b30b5121be490fc3243c57ef251855fd35fcd1ca30d86ed62a420e956c263bd50b2ddfa9fe6a02777c9cdf89d23fa9d33cbec682e0f5f9b48080aa4ed5b
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1164-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1676-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1676 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4032 svchost.exe Token: SeCreatePagefilePrivilege 4032 svchost.exe Token: SeShutdownPrivilege 4032 svchost.exe Token: SeCreatePagefilePrivilege 4032 svchost.exe Token: SeShutdownPrivilege 4032 svchost.exe Token: SeCreatePagefilePrivilege 4032 svchost.exe Token: SeIncBasePriorityPrivilege 1164 16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.execmd.exedescription pid process target process PID 1164 wrote to memory of 1676 1164 16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe MediaCenter.exe PID 1164 wrote to memory of 1676 1164 16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe MediaCenter.exe PID 1164 wrote to memory of 1676 1164 16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe MediaCenter.exe PID 1164 wrote to memory of 4428 1164 16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe cmd.exe PID 1164 wrote to memory of 4428 1164 16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe cmd.exe PID 1164 wrote to memory of 4428 1164 16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe cmd.exe PID 4428 wrote to memory of 796 4428 cmd.exe PING.EXE PID 4428 wrote to memory of 796 4428 cmd.exe PING.EXE PID 4428 wrote to memory of 796 4428 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe"C:\Users\Admin\AppData\Local\Temp\16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16d974437a0bdebf4ef1c12334f34d5eeb09c8f678b5051ae08dd99d61e13c20.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1340
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f67439de42045ae09148c2ccb764c862
SHA1a485ba4f350b1c0afc09bbf6e4b522235f979bcd
SHA256ee4aef3a4f06ad11765f23722a9eb961c4ac96d133579b272fad1557d20e89a7
SHA5128ab169217cbead6ec6485a9c0905629437519913e6a864d1a42d12b7825583ff5bd755f9864b0da91d59cd3cc39e4f808c9b8236c8f4774f3ad0d4612c2844ee
-
MD5
f67439de42045ae09148c2ccb764c862
SHA1a485ba4f350b1c0afc09bbf6e4b522235f979bcd
SHA256ee4aef3a4f06ad11765f23722a9eb961c4ac96d133579b272fad1557d20e89a7
SHA5128ab169217cbead6ec6485a9c0905629437519913e6a864d1a42d12b7825583ff5bd755f9864b0da91d59cd3cc39e4f808c9b8236c8f4774f3ad0d4612c2844ee