Analysis
-
max time kernel
140s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:45
Static task
static1
Behavioral task
behavioral1
Sample
16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe
Resource
win10v2004-en-20220113
General
-
Target
16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe
-
Size
79KB
-
MD5
1ad3faa5164992eab954997a67001333
-
SHA1
20259c2708a920aff6e323c6dd177b9ed2f8e474
-
SHA256
16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f
-
SHA512
54af2deda19ebfb663f79258d4111f484d739e082bcea2ed0ad3f81719296ea6ef970c4c9f8fd9e6d41b96570084650d915424019332782808c3cfb79a1c5e8c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4844 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2996 svchost.exe Token: SeCreatePagefilePrivilege 2996 svchost.exe Token: SeShutdownPrivilege 2996 svchost.exe Token: SeCreatePagefilePrivilege 2996 svchost.exe Token: SeShutdownPrivilege 2996 svchost.exe Token: SeCreatePagefilePrivilege 2996 svchost.exe Token: SeIncBasePriorityPrivilege 2848 16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe Token: SeBackupPrivilege 3624 TiWorker.exe Token: SeRestorePrivilege 3624 TiWorker.exe Token: SeSecurityPrivilege 3624 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.execmd.exedescription pid process target process PID 2848 wrote to memory of 4844 2848 16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe MediaCenter.exe PID 2848 wrote to memory of 4844 2848 16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe MediaCenter.exe PID 2848 wrote to memory of 4844 2848 16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe MediaCenter.exe PID 2848 wrote to memory of 224 2848 16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe cmd.exe PID 2848 wrote to memory of 224 2848 16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe cmd.exe PID 2848 wrote to memory of 224 2848 16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe cmd.exe PID 224 wrote to memory of 1668 224 cmd.exe PING.EXE PID 224 wrote to memory of 1668 224 cmd.exe PING.EXE PID 224 wrote to memory of 1668 224 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe"C:\Users\Admin\AppData\Local\Temp\16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16d6caa13a70cfa980222a7c95cd301f85e94c8ea3f6f20b8bb37bf3de654d1f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3624
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ca203ed30892438bd7f4c4e12fdd929b
SHA199678a2ab4290dde83112e1776c77cfb6cbecf53
SHA256aed2332383f7e9b3d766c3c89b0affe45108812e6d78caa8f4629c1b29c042b7
SHA51235beaaafbcc548c171be00d2dd4b16e605018e17e47ecde51f65e53f09d1e1cc8f0dde91323d477c01e18e7cf0448bf6008fb602a702fdb4362a5c5c18dbd8ee
-
MD5
ca203ed30892438bd7f4c4e12fdd929b
SHA199678a2ab4290dde83112e1776c77cfb6cbecf53
SHA256aed2332383f7e9b3d766c3c89b0affe45108812e6d78caa8f4629c1b29c042b7
SHA51235beaaafbcc548c171be00d2dd4b16e605018e17e47ecde51f65e53f09d1e1cc8f0dde91323d477c01e18e7cf0448bf6008fb602a702fdb4362a5c5c18dbd8ee