Analysis
-
max time kernel
150s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:51
Static task
static1
Behavioral task
behavioral1
Sample
16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe
Resource
win10v2004-en-20220113
General
-
Target
16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe
-
Size
92KB
-
MD5
22ffa7699d3f7ebbf2b406bf781e42c0
-
SHA1
73b45227e114739656a33775533eee95e43c0a1d
-
SHA256
16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b
-
SHA512
38b4026a485a0adc5206e1bf1adfea34ed0ec2ea6aafb0d4702245963d4e1044250433ef6c2d696bdcb5c2d3caf2ef1ad52ebbe267441a98ac9be3ab21bfb3ae
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1364 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3064 svchost.exe Token: SeCreatePagefilePrivilege 3064 svchost.exe Token: SeShutdownPrivilege 3064 svchost.exe Token: SeCreatePagefilePrivilege 3064 svchost.exe Token: SeShutdownPrivilege 3064 svchost.exe Token: SeCreatePagefilePrivilege 3064 svchost.exe Token: SeIncBasePriorityPrivilege 4112 16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe Token: SeBackupPrivilege 2980 TiWorker.exe Token: SeRestorePrivilege 2980 TiWorker.exe Token: SeSecurityPrivilege 2980 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.execmd.exedescription pid process target process PID 4112 wrote to memory of 1364 4112 16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe MediaCenter.exe PID 4112 wrote to memory of 1364 4112 16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe MediaCenter.exe PID 4112 wrote to memory of 1364 4112 16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe MediaCenter.exe PID 4112 wrote to memory of 1644 4112 16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe cmd.exe PID 4112 wrote to memory of 1644 4112 16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe cmd.exe PID 4112 wrote to memory of 1644 4112 16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe cmd.exe PID 1644 wrote to memory of 2308 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 2308 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 2308 1644 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe"C:\Users\Admin\AppData\Local\Temp\16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16a8ed2dea69d4670608e6963e668235dcac95c6a68dcbf093b5d65a37bdd01b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7ed719cfba444270ae56789d785e6ce3
SHA1939ac97762e29f58db9f52043f16926c6683b971
SHA2563971e7a341b4d11c9ce9dedfc01116f8231456b2216debe4046e217f47374088
SHA51293a45f6fc18857e6e3a5d07df245f0d9cb5ec9008e577533dc928228f07c259c2be99e02a69fe9038dcf41c372984cc2175e4960d4f7124485339d14664ee5ce
-
MD5
7ed719cfba444270ae56789d785e6ce3
SHA1939ac97762e29f58db9f52043f16926c6683b971
SHA2563971e7a341b4d11c9ce9dedfc01116f8231456b2216debe4046e217f47374088
SHA51293a45f6fc18857e6e3a5d07df245f0d9cb5ec9008e577533dc928228f07c259c2be99e02a69fe9038dcf41c372984cc2175e4960d4f7124485339d14664ee5ce