Analysis
-
max time kernel
131s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:33
Static task
static1
Behavioral task
behavioral1
Sample
17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe
Resource
win10v2004-en-20220112
General
-
Target
17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe
-
Size
92KB
-
MD5
a81416c358133806902288e7c41d976b
-
SHA1
c791cb19d17cf8d3959399eec9d680d446d43682
-
SHA256
17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2
-
SHA512
369cd433bc68eac60124550025fb727ca91b4184a8b6ebedf686de69bf5812b0e8543ca6b5f5ef2b693489d502908282658216b386b8bbc7932a2eb9bfa325a4
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 684 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exepid process 1308 17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exedescription pid process Token: SeIncBasePriorityPrivilege 1308 17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.execmd.exedescription pid process target process PID 1308 wrote to memory of 1892 1308 17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe MediaCenter.exe PID 1308 wrote to memory of 1892 1308 17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe MediaCenter.exe PID 1308 wrote to memory of 1892 1308 17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe MediaCenter.exe PID 1308 wrote to memory of 1892 1308 17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe MediaCenter.exe PID 1308 wrote to memory of 684 1308 17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe cmd.exe PID 1308 wrote to memory of 684 1308 17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe cmd.exe PID 1308 wrote to memory of 684 1308 17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe cmd.exe PID 1308 wrote to memory of 684 1308 17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe cmd.exe PID 684 wrote to memory of 1108 684 cmd.exe PING.EXE PID 684 wrote to memory of 1108 684 cmd.exe PING.EXE PID 684 wrote to memory of 1108 684 cmd.exe PING.EXE PID 684 wrote to memory of 1108 684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe"C:\Users\Admin\AppData\Local\Temp\17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17582e12053169192de99961614e8895978d859d8571665754b4ded0283702e2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
97f2ce73d3ee9a66030f83305975214b
SHA11bedf5853888001e466e02a7adad352765900751
SHA256eecc6ccecdb996638fb87538080e911cce415a79473e7b5201f5872bf2cb8a1b
SHA512f520641d80553585742e4126c4559f07d6d3a43dae50db0d9798c88be500f4bbad1619c30f3289b46ac29ae574a7fa3479ca5bb19a09b08e8327327e65e59b8a
-
MD5
97f2ce73d3ee9a66030f83305975214b
SHA11bedf5853888001e466e02a7adad352765900751
SHA256eecc6ccecdb996638fb87538080e911cce415a79473e7b5201f5872bf2cb8a1b
SHA512f520641d80553585742e4126c4559f07d6d3a43dae50db0d9798c88be500f4bbad1619c30f3289b46ac29ae574a7fa3479ca5bb19a09b08e8327327e65e59b8a