Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:32
Static task
static1
Behavioral task
behavioral1
Sample
17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe
Resource
win10v2004-en-20220113
General
-
Target
17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe
-
Size
99KB
-
MD5
314628e14de468db1bd6888efa0a4ec6
-
SHA1
fd19074ce2e73e81f9b0af16f79bb52e4e29f064
-
SHA256
17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990
-
SHA512
146adf52e644745a79f94500f2505d2ddf43e07938ec5ff69196e9d638889469c44cfc53f97041de777bd222882c87ee41b6d4e5f3cd6f3cb1f4b191dfb5e047
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1624 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1068 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exepid process 976 17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe 976 17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exedescription pid process Token: SeIncBasePriorityPrivilege 976 17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.execmd.exedescription pid process target process PID 976 wrote to memory of 1624 976 17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe MediaCenter.exe PID 976 wrote to memory of 1624 976 17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe MediaCenter.exe PID 976 wrote to memory of 1624 976 17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe MediaCenter.exe PID 976 wrote to memory of 1624 976 17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe MediaCenter.exe PID 976 wrote to memory of 1068 976 17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe cmd.exe PID 976 wrote to memory of 1068 976 17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe cmd.exe PID 976 wrote to memory of 1068 976 17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe cmd.exe PID 976 wrote to memory of 1068 976 17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe cmd.exe PID 1068 wrote to memory of 880 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 880 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 880 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 880 1068 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe"C:\Users\Admin\AppData\Local\Temp\17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17676ebf5dbf28a9849114d7c7cc7ab75fca2fb5c307d02eacdf29d9e7cbf990.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:880
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3a87e02bbd233efb5b088a55dbdbff7f
SHA1380bfe0cfc84b111ca60f2dfdf3058a7ee7072d6
SHA256e2d0c1d6ae6c8d8a4a7aad52dcdccb8045a2be31688723a3619172bdd5ad2f98
SHA5127aa85ed67547c5e1013583dbcae46fad5d7e4c62dbe26220ac28ad113524349fd42dce8854412caba5daab47d560bd3f4bedd8598bc8fc9c590941f8d283ec20
-
MD5
3a87e02bbd233efb5b088a55dbdbff7f
SHA1380bfe0cfc84b111ca60f2dfdf3058a7ee7072d6
SHA256e2d0c1d6ae6c8d8a4a7aad52dcdccb8045a2be31688723a3619172bdd5ad2f98
SHA5127aa85ed67547c5e1013583dbcae46fad5d7e4c62dbe26220ac28ad113524349fd42dce8854412caba5daab47d560bd3f4bedd8598bc8fc9c590941f8d283ec20
-
MD5
3a87e02bbd233efb5b088a55dbdbff7f
SHA1380bfe0cfc84b111ca60f2dfdf3058a7ee7072d6
SHA256e2d0c1d6ae6c8d8a4a7aad52dcdccb8045a2be31688723a3619172bdd5ad2f98
SHA5127aa85ed67547c5e1013583dbcae46fad5d7e4c62dbe26220ac28ad113524349fd42dce8854412caba5daab47d560bd3f4bedd8598bc8fc9c590941f8d283ec20