Analysis
-
max time kernel
144s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:51
Static task
static1
Behavioral task
behavioral1
Sample
16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe
Resource
win10v2004-en-20220113
General
-
Target
16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe
-
Size
101KB
-
MD5
3e1c544b9b1c4ebda7b9c820c6a56c0e
-
SHA1
49fceb5b811bef494632397614fb19dea5ba3b19
-
SHA256
16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec
-
SHA512
694dc2d978a7e7d347026874ae77671eb8e995ccf0395810d43c7f903ff165a3739bc1ac4a445528e58808ae73e4d394eae819a14f9396e495be49cc4224d64c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4608 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4904 svchost.exe Token: SeCreatePagefilePrivilege 4904 svchost.exe Token: SeShutdownPrivilege 4904 svchost.exe Token: SeCreatePagefilePrivilege 4904 svchost.exe Token: SeShutdownPrivilege 4904 svchost.exe Token: SeCreatePagefilePrivilege 4904 svchost.exe Token: SeIncBasePriorityPrivilege 4936 16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe Token: SeBackupPrivilege 2136 TiWorker.exe Token: SeRestorePrivilege 2136 TiWorker.exe Token: SeSecurityPrivilege 2136 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.execmd.exedescription pid process target process PID 4936 wrote to memory of 4608 4936 16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe MediaCenter.exe PID 4936 wrote to memory of 4608 4936 16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe MediaCenter.exe PID 4936 wrote to memory of 4608 4936 16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe MediaCenter.exe PID 4936 wrote to memory of 2892 4936 16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe cmd.exe PID 4936 wrote to memory of 2892 4936 16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe cmd.exe PID 4936 wrote to memory of 2892 4936 16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe cmd.exe PID 2892 wrote to memory of 4728 2892 cmd.exe PING.EXE PID 2892 wrote to memory of 4728 2892 cmd.exe PING.EXE PID 2892 wrote to memory of 4728 2892 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe"C:\Users\Admin\AppData\Local\Temp\16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16a6f62d1792c035cb58d6419575b278e6b246b505b207a75540f14ac1ec7eec.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4728
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2136
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e46f2ec34461299c8b1899ab89416b55
SHA1b6e7f49c35712c8589f4e9cdb12ffc78ee32e37d
SHA256fab72f91eb91a475d01d6a3e8b4e3371aef737cf8a14d48c48e48352ccd2e283
SHA512455b5c1778023fddc14eca5936ec51cb713b331a94bc95324be2a0dcf25f642204ab9d08ae8c7f2ef034348024f36372a6c69103eb32340bcb7c5b1a8cf774fb
-
MD5
e46f2ec34461299c8b1899ab89416b55
SHA1b6e7f49c35712c8589f4e9cdb12ffc78ee32e37d
SHA256fab72f91eb91a475d01d6a3e8b4e3371aef737cf8a14d48c48e48352ccd2e283
SHA512455b5c1778023fddc14eca5936ec51cb713b331a94bc95324be2a0dcf25f642204ab9d08ae8c7f2ef034348024f36372a6c69103eb32340bcb7c5b1a8cf774fb