Analysis
-
max time kernel
148s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:41
Static task
static1
Behavioral task
behavioral1
Sample
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe
Resource
win10v2004-en-20220113
General
-
Target
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe
-
Size
92KB
-
MD5
0a83265c93b91a16c5c52c2845b11d6a
-
SHA1
e3c2de42c90ab1c192434b1bf70a30d1a7e5596e
-
SHA256
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134
-
SHA512
ef99f8b7dc2bf6c070ab5012ee389cd52342348a23537632e337dde54f114ce0d766e7d8406a0bd5a59ff627fcfece9258241608a286d949715a923153ed31c4
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1716 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1524 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exepid process 860 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exedescription pid process Token: SeIncBasePriorityPrivilege 860 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.execmd.exedescription pid process target process PID 860 wrote to memory of 1716 860 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe MediaCenter.exe PID 860 wrote to memory of 1716 860 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe MediaCenter.exe PID 860 wrote to memory of 1716 860 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe MediaCenter.exe PID 860 wrote to memory of 1716 860 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe MediaCenter.exe PID 860 wrote to memory of 1524 860 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe cmd.exe PID 860 wrote to memory of 1524 860 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe cmd.exe PID 860 wrote to memory of 1524 860 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe cmd.exe PID 860 wrote to memory of 1524 860 16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe cmd.exe PID 1524 wrote to memory of 632 1524 cmd.exe PING.EXE PID 1524 wrote to memory of 632 1524 cmd.exe PING.EXE PID 1524 wrote to memory of 632 1524 cmd.exe PING.EXE PID 1524 wrote to memory of 632 1524 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe"C:\Users\Admin\AppData\Local\Temp\16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16f88aa903b5852e640c8b007d53a302914a63da14b980991dac8f3014953134.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
22ac1998c7730e6a1fc5b6cd18ec258f
SHA1afca14ba60b2118dba1e9f5975d937977aeb5cbf
SHA256b847e4d0a59357c634d24b0e79712b7ebea9c96e89fad48596f0c5a9727b4964
SHA512716c6cd74ea3b4a89c7ac02e72fec447f3926e50840ab10b63d25ec247e1ccf9f9e7049d7c919fdd01510cd032c7a7d70cc118067596de25ec78895d8f558885
-
MD5
22ac1998c7730e6a1fc5b6cd18ec258f
SHA1afca14ba60b2118dba1e9f5975d937977aeb5cbf
SHA256b847e4d0a59357c634d24b0e79712b7ebea9c96e89fad48596f0c5a9727b4964
SHA512716c6cd74ea3b4a89c7ac02e72fec447f3926e50840ab10b63d25ec247e1ccf9f9e7049d7c919fdd01510cd032c7a7d70cc118067596de25ec78895d8f558885