Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:53
Static task
static1
Behavioral task
behavioral1
Sample
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe
Resource
win10v2004-en-20220113
General
-
Target
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe
-
Size
150KB
-
MD5
5354bf6de593c4f112a939e84675b17b
-
SHA1
f76166b1b832f590cc505b1d7bfa1af5141b622c
-
SHA256
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b
-
SHA512
9e0e92bc0f43976febc022353f760dc13652ecc1a21bd0b2507592bb5ff5ce62c2bfd9567f7f8ad6f616f0f844fc4538af2e860f71ebd5503ec7c3648803957c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4600 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exedescription pid process Token: SeShutdownPrivilege 4748 svchost.exe Token: SeCreatePagefilePrivilege 4748 svchost.exe Token: SeShutdownPrivilege 4748 svchost.exe Token: SeCreatePagefilePrivilege 4748 svchost.exe Token: SeShutdownPrivilege 4748 svchost.exe Token: SeCreatePagefilePrivilege 4748 svchost.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeIncBasePriorityPrivilege 3272 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe Token: SeBackupPrivilege 2040 TiWorker.exe Token: SeRestorePrivilege 2040 TiWorker.exe Token: SeSecurityPrivilege 2040 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.execmd.exedescription pid process target process PID 3272 wrote to memory of 4600 3272 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe MediaCenter.exe PID 3272 wrote to memory of 4600 3272 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe MediaCenter.exe PID 3272 wrote to memory of 4600 3272 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe MediaCenter.exe PID 3272 wrote to memory of 3640 3272 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe cmd.exe PID 3272 wrote to memory of 3640 3272 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe cmd.exe PID 3272 wrote to memory of 3640 3272 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe cmd.exe PID 3640 wrote to memory of 3560 3640 cmd.exe PING.EXE PID 3640 wrote to memory of 3560 3640 cmd.exe PING.EXE PID 3640 wrote to memory of 3560 3640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe"C:\Users\Admin\AppData\Local\Temp\16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
02511843f5aea3886ca27c882106be91
SHA1beff66e40eee85fee33b5cff0d6e0367f007c3e4
SHA2568055fc26d379b9d339472156ac4e44f8e20d33e36fe6b160574f21bebb37df74
SHA512ad416725e6193f14c7fdf6a64b43d7e3b607270c3653bbdbc8da2a2c2eea627449f487b7f2c82721386c451f6299ee57af8e94a4d6fabdabfd6aa9f89a3dc082
-
MD5
02511843f5aea3886ca27c882106be91
SHA1beff66e40eee85fee33b5cff0d6e0367f007c3e4
SHA2568055fc26d379b9d339472156ac4e44f8e20d33e36fe6b160574f21bebb37df74
SHA512ad416725e6193f14c7fdf6a64b43d7e3b607270c3653bbdbc8da2a2c2eea627449f487b7f2c82721386c451f6299ee57af8e94a4d6fabdabfd6aa9f89a3dc082