Analysis
-
max time kernel
140s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:40
Static task
static1
Behavioral task
behavioral1
Sample
170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe
Resource
win10v2004-en-20220112
General
-
Target
170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe
-
Size
216KB
-
MD5
7178e549edce3e0db5cebd548ba816c7
-
SHA1
cf006c4ab4d680cd1eb11333fd4c44998b6ad2f7
-
SHA256
170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73
-
SHA512
d499198515d02e6509078553dec7c7c3c855a2f74b4dd8bbd7d4c71bc0e54071c470819cc493206ce14328f712ba448e4e0cf93da7af8f3dfdecda762e4d224f
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1616-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1472-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1472 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1460 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exepid process 1616 170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exedescription pid process Token: SeIncBasePriorityPrivilege 1616 170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.execmd.exedescription pid process target process PID 1616 wrote to memory of 1472 1616 170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe MediaCenter.exe PID 1616 wrote to memory of 1472 1616 170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe MediaCenter.exe PID 1616 wrote to memory of 1472 1616 170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe MediaCenter.exe PID 1616 wrote to memory of 1472 1616 170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe MediaCenter.exe PID 1616 wrote to memory of 1460 1616 170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe cmd.exe PID 1616 wrote to memory of 1460 1616 170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe cmd.exe PID 1616 wrote to memory of 1460 1616 170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe cmd.exe PID 1616 wrote to memory of 1460 1616 170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe cmd.exe PID 1460 wrote to memory of 744 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 744 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 744 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 744 1460 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe"C:\Users\Admin\AppData\Local\Temp\170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\170453b601e65d779ac685656db4c462e1e04bc4bd39087a9616838b62372d73.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
53529237172cf6f6fccb05aefda5cd7b
SHA1d06920fe430b6f278d06d2ed0fe4fbb662b0d661
SHA256af67d8a542e9b39983e9b9d2b150fa47331e83367ce7bbc8817616ba8e3458b0
SHA512b23be10ff0055c2f5a9b4938f6efc8481dfe687dc90c6d141f37561f00ba1c68e521ac57762b4050b200aa6a80dcbb55c939e8b22292de91f612b03c76039fee
-
MD5
53529237172cf6f6fccb05aefda5cd7b
SHA1d06920fe430b6f278d06d2ed0fe4fbb662b0d661
SHA256af67d8a542e9b39983e9b9d2b150fa47331e83367ce7bbc8817616ba8e3458b0
SHA512b23be10ff0055c2f5a9b4938f6efc8481dfe687dc90c6d141f37561f00ba1c68e521ac57762b4050b200aa6a80dcbb55c939e8b22292de91f612b03c76039fee