Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:39
Static task
static1
Behavioral task
behavioral1
Sample
170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe
Resource
win10v2004-en-20220112
General
-
Target
170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe
-
Size
150KB
-
MD5
afcfbdd872fb8f28797ad14d59740d78
-
SHA1
c3995768351de6c497865a4e2500b220e2767c7d
-
SHA256
170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a
-
SHA512
32e1f87ca65a87be4eeb2956e09d926f1c5088c5f657421ce8e350b26a00688fb62572866973cdfa448542f42de29158c72435644787e01639db9a3333c09080
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1028 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 544 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exepid process 960 170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exedescription pid process Token: SeIncBasePriorityPrivilege 960 170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.execmd.exedescription pid process target process PID 960 wrote to memory of 1028 960 170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe MediaCenter.exe PID 960 wrote to memory of 1028 960 170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe MediaCenter.exe PID 960 wrote to memory of 1028 960 170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe MediaCenter.exe PID 960 wrote to memory of 1028 960 170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe MediaCenter.exe PID 960 wrote to memory of 544 960 170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe cmd.exe PID 960 wrote to memory of 544 960 170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe cmd.exe PID 960 wrote to memory of 544 960 170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe cmd.exe PID 960 wrote to memory of 544 960 170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe cmd.exe PID 544 wrote to memory of 1540 544 cmd.exe PING.EXE PID 544 wrote to memory of 1540 544 cmd.exe PING.EXE PID 544 wrote to memory of 1540 544 cmd.exe PING.EXE PID 544 wrote to memory of 1540 544 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe"C:\Users\Admin\AppData\Local\Temp\170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\170df436cbaae5a8e27991851b5e49d7ec86553bde7ac0131a5553c124bcac8a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8a479c061cdf1479978e0662126817fc
SHA13acce5ac2f6eee3303de55981626af03d5028773
SHA256d426ff0021afbfb6a9b5fb012534a277e94a93a5302b1ac0a5e44b5922316421
SHA51239df9e513b6577847a73cd53ede6cd9e089918f7588edf49e157241476a23f219b2485ff4508dc35cc1fa9d8aefe9a53cc59b9a9e92f53da67c1fa41817b44c3
-
MD5
8a479c061cdf1479978e0662126817fc
SHA13acce5ac2f6eee3303de55981626af03d5028773
SHA256d426ff0021afbfb6a9b5fb012534a277e94a93a5302b1ac0a5e44b5922316421
SHA51239df9e513b6577847a73cd53ede6cd9e089918f7588edf49e157241476a23f219b2485ff4508dc35cc1fa9d8aefe9a53cc59b9a9e92f53da67c1fa41817b44c3