Analysis
-
max time kernel
135s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:45
Static task
static1
Behavioral task
behavioral1
Sample
16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe
Resource
win10v2004-en-20220113
General
-
Target
16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe
-
Size
101KB
-
MD5
3875414913996eac2b786994b760de04
-
SHA1
807e5963591e1f0d0efa87eef54e30930a4c431c
-
SHA256
16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139
-
SHA512
271768d2e900c7083021627594a4d2b9c59a714d232eb9102389c798ae3c6ec8c861f0f606d88d39c1ebca0d7bacf04fe6252abe72ffa6e3c5fde75cc7c9f002
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 368 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3116 svchost.exe Token: SeCreatePagefilePrivilege 3116 svchost.exe Token: SeShutdownPrivilege 3116 svchost.exe Token: SeCreatePagefilePrivilege 3116 svchost.exe Token: SeShutdownPrivilege 3116 svchost.exe Token: SeCreatePagefilePrivilege 3116 svchost.exe Token: SeIncBasePriorityPrivilege 3208 16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe Token: SeBackupPrivilege 1768 TiWorker.exe Token: SeRestorePrivilege 1768 TiWorker.exe Token: SeSecurityPrivilege 1768 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.execmd.exedescription pid process target process PID 3208 wrote to memory of 368 3208 16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe MediaCenter.exe PID 3208 wrote to memory of 368 3208 16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe MediaCenter.exe PID 3208 wrote to memory of 368 3208 16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe MediaCenter.exe PID 3208 wrote to memory of 704 3208 16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe cmd.exe PID 3208 wrote to memory of 704 3208 16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe cmd.exe PID 3208 wrote to memory of 704 3208 16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe cmd.exe PID 704 wrote to memory of 4832 704 cmd.exe PING.EXE PID 704 wrote to memory of 4832 704 cmd.exe PING.EXE PID 704 wrote to memory of 4832 704 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe"C:\Users\Admin\AppData\Local\Temp\16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16d8a03d3c12ca5fee24e0e023cb95237bfff9d2555782fc09932fd2dd798139.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e0fe890d319b8abb3f8abfa6eed7261e
SHA196f6b0a4b62fd847c1a0d5457b99eb5380deafb0
SHA25602f9c873513c52f7c5c719717f6a7fc46e32309e99ac6c8c6083ff585367552f
SHA5128a71c030d7c280be9de132b54db8f14410c80e28ea0df235988db3ad9270078b6dd15b59809089912a9f46cc05e0ac3f4e5a1c0b735fd482dedc18be84f443b1
-
MD5
e0fe890d319b8abb3f8abfa6eed7261e
SHA196f6b0a4b62fd847c1a0d5457b99eb5380deafb0
SHA25602f9c873513c52f7c5c719717f6a7fc46e32309e99ac6c8c6083ff585367552f
SHA5128a71c030d7c280be9de132b54db8f14410c80e28ea0df235988db3ad9270078b6dd15b59809089912a9f46cc05e0ac3f4e5a1c0b735fd482dedc18be84f443b1