Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 03:57
Static task
static1
Behavioral task
behavioral1
Sample
16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe
Resource
win10v2004-en-20220113
General
-
Target
16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe
-
Size
152KB
-
MD5
40509d6c4cf888e31658ed6f836bc158
-
SHA1
93fe1cb612f9590ba60401956d6811dbe56099ef
-
SHA256
16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a
-
SHA512
c140545bc75ed7ebeaa0642c72ba2614742f297fd7bd196896d0d05e06bbcae313532a8916fc1cdfcf5e9ba8a7725ecc25fff69631984c6a2465550b71a07caf
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4488 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4860 svchost.exe Token: SeCreatePagefilePrivilege 4860 svchost.exe Token: SeShutdownPrivilege 4860 svchost.exe Token: SeCreatePagefilePrivilege 4860 svchost.exe Token: SeShutdownPrivilege 4860 svchost.exe Token: SeCreatePagefilePrivilege 4860 svchost.exe Token: SeIncBasePriorityPrivilege 1408 16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe Token: SeBackupPrivilege 4808 TiWorker.exe Token: SeRestorePrivilege 4808 TiWorker.exe Token: SeSecurityPrivilege 4808 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.execmd.exedescription pid process target process PID 1408 wrote to memory of 4488 1408 16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe MediaCenter.exe PID 1408 wrote to memory of 4488 1408 16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe MediaCenter.exe PID 1408 wrote to memory of 4488 1408 16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe MediaCenter.exe PID 1408 wrote to memory of 2212 1408 16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe cmd.exe PID 1408 wrote to memory of 2212 1408 16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe cmd.exe PID 1408 wrote to memory of 2212 1408 16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe cmd.exe PID 2212 wrote to memory of 3332 2212 cmd.exe PING.EXE PID 2212 wrote to memory of 3332 2212 cmd.exe PING.EXE PID 2212 wrote to memory of 3332 2212 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe"C:\Users\Admin\AppData\Local\Temp\16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d2c23a8b3451cf74455ed3a7139f7e46
SHA1676eedaa06b3819e60f2dfdd5d908a2094e080f8
SHA2563b810d13a7d33d1b5290863b56ee70b2798b5e8098b971dd91ea1cfdfdac0d35
SHA5129594cf203d91f8fda61bd124316fdc0312856f30c8acc3fe58e2b373805fc70cd6dede9f4c1f16d4a10d0aa649d7508c56b2d96a2de84dc1647031d69086f3e4
-
MD5
d2c23a8b3451cf74455ed3a7139f7e46
SHA1676eedaa06b3819e60f2dfdd5d908a2094e080f8
SHA2563b810d13a7d33d1b5290863b56ee70b2798b5e8098b971dd91ea1cfdfdac0d35
SHA5129594cf203d91f8fda61bd124316fdc0312856f30c8acc3fe58e2b373805fc70cd6dede9f4c1f16d4a10d0aa649d7508c56b2d96a2de84dc1647031d69086f3e4