Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:38
Static task
static1
Behavioral task
behavioral1
Sample
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe
Resource
win10v2004-en-20220112
General
-
Target
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe
-
Size
99KB
-
MD5
4c6b59a14f1a41ce216a7f36611607f5
-
SHA1
d40254548dfac75a498cd91921f0226d2c4d9573
-
SHA256
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee
-
SHA512
3f42525ea93c5e6cd3df2fb1acfa76576c8c0e16431c80b2a9a08d2cda6221b7e78cd7647694310619608b6766c9bcd3705cf945432b70a9cb9ba01377efc866
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1480 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exepid process 1748 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe 1748 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exedescription pid process Token: SeIncBasePriorityPrivilege 1748 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.execmd.exedescription pid process target process PID 1748 wrote to memory of 1480 1748 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe MediaCenter.exe PID 1748 wrote to memory of 1480 1748 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe MediaCenter.exe PID 1748 wrote to memory of 1480 1748 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe MediaCenter.exe PID 1748 wrote to memory of 1480 1748 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe MediaCenter.exe PID 1748 wrote to memory of 1988 1748 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe cmd.exe PID 1748 wrote to memory of 1988 1748 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe cmd.exe PID 1748 wrote to memory of 1988 1748 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe cmd.exe PID 1748 wrote to memory of 1988 1748 171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe cmd.exe PID 1988 wrote to memory of 1032 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1032 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1032 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1032 1988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe"C:\Users\Admin\AppData\Local\Temp\171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\171ae67809781c354e8432aeedd84bb3eaf83d349576dd345e3243cda2ec1eee.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
057f25f58781496b4573acf7a68737dc
SHA19ba814273a2d205f7d47bda224583d4941c55fd0
SHA2564a6520eaca9e109d12ae2669b3dc1f3739c574f2a17ade408c91141601670126
SHA512915a1bab22a8286be1d2699827f7911f98756f1c3a0020182a822e0d400372d7bd059adbeb2c133995d758a5aff3bdafa93c4025090b7d528caafab7cd731ff5
-
MD5
057f25f58781496b4573acf7a68737dc
SHA19ba814273a2d205f7d47bda224583d4941c55fd0
SHA2564a6520eaca9e109d12ae2669b3dc1f3739c574f2a17ade408c91141601670126
SHA512915a1bab22a8286be1d2699827f7911f98756f1c3a0020182a822e0d400372d7bd059adbeb2c133995d758a5aff3bdafa93c4025090b7d528caafab7cd731ff5
-
MD5
057f25f58781496b4573acf7a68737dc
SHA19ba814273a2d205f7d47bda224583d4941c55fd0
SHA2564a6520eaca9e109d12ae2669b3dc1f3739c574f2a17ade408c91141601670126
SHA512915a1bab22a8286be1d2699827f7911f98756f1c3a0020182a822e0d400372d7bd059adbeb2c133995d758a5aff3bdafa93c4025090b7d528caafab7cd731ff5