Analysis
-
max time kernel
141s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:42
Static task
static1
Behavioral task
behavioral1
Sample
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe
Resource
win10v2004-en-20220113
General
-
Target
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe
-
Size
80KB
-
MD5
97286f1a9e13954775f6b27ef0751105
-
SHA1
4c5e00a132d33b3988945b973f34db5fb85ba6c0
-
SHA256
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18
-
SHA512
34ad7d8e6f01fc86ca8b902331c2eecb86646f58e5eddac7f250655faf94a6a5477e6c0232efcc779b27ce3147360243076cd04cf4fc8e931218019dd527bb19
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1864 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exepid process 952 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe 952 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exedescription pid process Token: SeIncBasePriorityPrivilege 952 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.execmd.exedescription pid process target process PID 952 wrote to memory of 1864 952 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe MediaCenter.exe PID 952 wrote to memory of 1864 952 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe MediaCenter.exe PID 952 wrote to memory of 1864 952 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe MediaCenter.exe PID 952 wrote to memory of 1864 952 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe MediaCenter.exe PID 952 wrote to memory of 1988 952 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe cmd.exe PID 952 wrote to memory of 1988 952 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe cmd.exe PID 952 wrote to memory of 1988 952 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe cmd.exe PID 952 wrote to memory of 1988 952 16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe cmd.exe PID 1988 wrote to memory of 1980 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1980 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1980 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1980 1988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe"C:\Users\Admin\AppData\Local\Temp\16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16f2cb030ae0c1e60de3349b678a4a7c0c80a14814dc81717e060e117da76d18.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ea320bae21ac93948c0732f8f996fa47
SHA1e28caebd9d493a0a804ea5381e864c319c8d31c2
SHA256b2a481d112c5bf1df7e594f831ca3260ae15162cc0fe16054be38abc26a8313a
SHA5123be0aca2508fd55ae596156d6550a8b377836c6a8adf0a19671911c13c77c038aca8e409ccc10e251e65fceed22d4bf65900fc471f81abaa10cabc83bc7af7a4
-
MD5
ea320bae21ac93948c0732f8f996fa47
SHA1e28caebd9d493a0a804ea5381e864c319c8d31c2
SHA256b2a481d112c5bf1df7e594f831ca3260ae15162cc0fe16054be38abc26a8313a
SHA5123be0aca2508fd55ae596156d6550a8b377836c6a8adf0a19671911c13c77c038aca8e409ccc10e251e65fceed22d4bf65900fc471f81abaa10cabc83bc7af7a4
-
MD5
ea320bae21ac93948c0732f8f996fa47
SHA1e28caebd9d493a0a804ea5381e864c319c8d31c2
SHA256b2a481d112c5bf1df7e594f831ca3260ae15162cc0fe16054be38abc26a8313a
SHA5123be0aca2508fd55ae596156d6550a8b377836c6a8adf0a19671911c13c77c038aca8e409ccc10e251e65fceed22d4bf65900fc471f81abaa10cabc83bc7af7a4