Analysis
-
max time kernel
139s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:22
Static task
static1
Behavioral task
behavioral1
Sample
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe
Resource
win10v2004-en-20220113
General
-
Target
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe
-
Size
176KB
-
MD5
b323d55ae29fbdebdb56faf23b965faa
-
SHA1
3a7aa445d3d457ce009aeed5d3818b43ee554f51
-
SHA256
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d
-
SHA512
f8cc514b7e27687ecc98cfceb884d42ff83826f0a15d520b57a979a63ceee4af4cb0872755bd43452564cffd402afe4e41345e94bed062b7d835a7487093a076
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/612-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1860-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1860 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 624 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exepid process 612 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exedescription pid process Token: SeIncBasePriorityPrivilege 612 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.execmd.exedescription pid process target process PID 612 wrote to memory of 1860 612 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe MediaCenter.exe PID 612 wrote to memory of 1860 612 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe MediaCenter.exe PID 612 wrote to memory of 1860 612 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe MediaCenter.exe PID 612 wrote to memory of 1860 612 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe MediaCenter.exe PID 612 wrote to memory of 624 612 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe cmd.exe PID 612 wrote to memory of 624 612 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe cmd.exe PID 612 wrote to memory of 624 612 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe cmd.exe PID 612 wrote to memory of 624 612 17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe cmd.exe PID 624 wrote to memory of 1972 624 cmd.exe PING.EXE PID 624 wrote to memory of 1972 624 cmd.exe PING.EXE PID 624 wrote to memory of 1972 624 cmd.exe PING.EXE PID 624 wrote to memory of 1972 624 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe"C:\Users\Admin\AppData\Local\Temp\17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17c8e2672865794de0003be75de7bad165d43309285816ab040cd3f99ef1a40d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
318b50e6d62a6f1a0c21aebb78e9f044
SHA14ca4bb07ca5d7eab6ebc61d53e46a4334cbeb396
SHA256d25e5890a4fdd7607bffd7e3e7d2eb8b897d5e78f468da0b31210978ebe378ee
SHA512a6773c26b361c5824cf5c40d3c40e15a3840e98e003aa334c980dbc57b0771805f4780ce1c9d25143eec868a128d7731fb462e969b84ba170b661a4c14455962
-
MD5
318b50e6d62a6f1a0c21aebb78e9f044
SHA14ca4bb07ca5d7eab6ebc61d53e46a4334cbeb396
SHA256d25e5890a4fdd7607bffd7e3e7d2eb8b897d5e78f468da0b31210978ebe378ee
SHA512a6773c26b361c5824cf5c40d3c40e15a3840e98e003aa334c980dbc57b0771805f4780ce1c9d25143eec868a128d7731fb462e969b84ba170b661a4c14455962