Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:35
Static task
static1
Behavioral task
behavioral1
Sample
17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe
Resource
win10v2004-en-20220113
General
-
Target
17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe
-
Size
92KB
-
MD5
c5b4b12f91b4ff799425f98c5d852910
-
SHA1
41b6ee0e99e91e803ced202584ba7fdb721adf3e
-
SHA256
17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12
-
SHA512
5b2f79aec990c34ce182e68ee012dbbb9f5aa6a3e5e645a39c238cfedcf911d0af5dada1300ad1b0322ead274efcca2d490286b55643b27fa89c8f6ee15da1e7
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1288 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1780 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exepid process 1468 17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exedescription pid process Token: SeIncBasePriorityPrivilege 1468 17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.execmd.exedescription pid process target process PID 1468 wrote to memory of 1288 1468 17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe MediaCenter.exe PID 1468 wrote to memory of 1288 1468 17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe MediaCenter.exe PID 1468 wrote to memory of 1288 1468 17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe MediaCenter.exe PID 1468 wrote to memory of 1288 1468 17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe MediaCenter.exe PID 1468 wrote to memory of 1780 1468 17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe cmd.exe PID 1468 wrote to memory of 1780 1468 17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe cmd.exe PID 1468 wrote to memory of 1780 1468 17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe cmd.exe PID 1468 wrote to memory of 1780 1468 17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe cmd.exe PID 1780 wrote to memory of 2008 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 2008 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 2008 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 2008 1780 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe"C:\Users\Admin\AppData\Local\Temp\17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17389c3aefc730bce605e9c77c1b583fb27a62089c716ed6741dff592bb48e12.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c07a227025676b84275b4125f6c33ec3
SHA1c0b4fe100dd29a762128e53ba083509c0e6a1c26
SHA256803574789c64761a6084547d2ebbaf84a8e2285c62f2917a118ad486d478fde3
SHA5120f63eede4811dc7b98980304fa9f7c5b926a37e7abeea9aeab32507458e923dd03988aa67562daa35354ee720d731f992bf707ee84e3a033c4e6ecfb9c20c005
-
MD5
c07a227025676b84275b4125f6c33ec3
SHA1c0b4fe100dd29a762128e53ba083509c0e6a1c26
SHA256803574789c64761a6084547d2ebbaf84a8e2285c62f2917a118ad486d478fde3
SHA5120f63eede4811dc7b98980304fa9f7c5b926a37e7abeea9aeab32507458e923dd03988aa67562daa35354ee720d731f992bf707ee84e3a033c4e6ecfb9c20c005